Ohio has admitted to “accidentally” releasing the protected health information of 59,000 Buckeyes who received mental health services. While the incident is likely due to simple oversight, it is a devastating blow to those seeking to keep their health history private.
The breach occurred in February when the state’s Department of Mental Health and Addiction Services mailed out postcards inviting former patients to participate in a survey. While the information released does not put recipients in danger of identity theft, it does betray full names, addresses, and the fact that these individuals sought out mental health and/or addiction services.
The department suggests mailing future invitations in sealed envelopes to protect patient information, but the damage has already been done. The agency admits it has been sending uncovered postcards for the past five years.
As recompense, the state of Ohio should be forced to pay fines for its repeated HIPAA violations. Such noncompliance fines range from a mere $100 per record to a maximum of $1.5 million per year for repeated violations.
Fines are broken into two main categories: “Reasonable Cause” (a violation that was unknown despite reasonable diligence) and “Willful Neglect” (a violation due to negligence which is not corrected within one month). In this case, arguments could be made for both categories – but either way, there must be some punishment for these repeated violations of privacy that have affected nearly 60,000 individuals.
The incident, which translates to serious embarrassment for anyone needing to keep his or her health information private, exemplifies the dangers of collecting this kind of data in the first place.
Editor’s Note: Ten’s of millions of financial and medical records have been lost in the government and corporate environments, varying amounts of damage. Information is power, your private information is power in the hands of others.