Confidential information about more than 10,200 patients of Dent Neurologic Institute was inadvertently sent to more than 200 patients Monday in an email attachment.
The personal information – including patients’ names and home addresses, their doctors’ names, last appointment dates and their email addresses – was contained on an Excel patient spreadsheet.
The data does not include specific information about the patients’ medical conditions, birth dates or Social Security numbers, according to Dent, which attributed the privacy breach to “human error.”
“The list was mistakenly attached to a routine email that was being sent to patients by a clerk in the DNI administrative office,” Dent said Tuesday in a statement.
“We are very sorry this happened, and we deeply apologize to all of our patients, referring physicians and WNY health care partners,” Dent CEO Joseph V. Fritz said in the same news release. “Patient confidentiality is extremely important in our field, and we take it very seriously, and we will review how this accident happened so we can take steps to minimize the possibilities it could ever happen again. This is an inexcusable event.”
Dent officials did not respond to requests to comment further. The institute said that by Tuesday afternoon it had contacted all of the 200 patients who received the email and asked them to delete the message.
Not every patient of the institute was listed on the spreadsheet. However, some patients whose information was included remain upset by the breach of privacy.
“I’m on there, and my daughter is on there, and I know other people on there,” said Kelly J. Asher, a health and wellness coordinator with Erie County’s Senior Services, who received the email and is in the database.
“When I opened the attachment and realized the plethora of personal information that was carelessly sent out by the Dent Institute, I was very disturbed,” Asher added.
“I also must question the intent of the email, and I’m not sure I buy the explanation of the incident given by Dent. This list would certainly be helpful for a business trying to directly market a product to a targeted group of patients.”
Several Dent patients contacted for this article said they were learning about the release of their information from a reporter.
“The scary thing is, The Buffalo News knows about this and I don’t,” said Ross T. Runfola Jr., a member services supervisor for health insurance provider Fidelis Care.
Runfola said he’s also worried that identity thieves could get their hands on this data.
“It’s amazing what you can do with a little information,” said Runfola, who only recently started going to Dent.
Asher and Runfola view the release of the patient data as a violation of HIPAA, the Health Insurance Portability and Accountability Act, which protects patient privacy.
A breach of HIPAA is “an impermissible use or disclosure … that compromises the security or privacy of the protected health information that … poses a significant risk of financial, reputational or other harm to the affected individual,” according to the federal Department of Health and Human Services.
“It certainly seems to fall within the general definition of ‘individually identifiable health information.’ That’s the magic phrase from the privacy rule,” said Anthony H. Szczygiel, a University at Buffalo law professor and director of the Law School’s William and Mary Foster Elder Law Clinic.
An institution that violates HIPAA could face civil or criminal penalties, but these are issued only for the most serious and malicious misconduct, said Szczygiel, who teaches an introductory course on health law.
Even if this data release doesn’t violate HIPAA, he added, “I would think this violated institutional policies, so I think some heads would roll for that.”
The act also requires any companies involved in the breach to notify media and affected individuals.
According to Dent, it has already notified the state Department of Health and will send a letter of notification and apology to all the patients involved in the breach.
Dent officials did not say what, if any, safeguards they plan to put in place to prevent a future breach.
The accidental release of the database follows another recent misfire by Dent in which all the institute’s patients received letters by mail that were intended only for those with Catholic Medical Partners physicians, causing confusion among those with other doctors.
In a response at that time, Fritz wrote on the institute’s website: “These letters were distributed to our entire patient database rather than just those patients currently under the CMP program. Many patients are now questioning why we moved away from Kaleida, etc., and are concerned their insurance will no longer cover them. … Frankly, it was an unfortunate mistake that these letters were sent to our entire patient population, and we sincerely apologize for creating this confusion.”
Dent Neurologic treats patients of all ages for such conditions as concussions, headaches, dizziness and sleep problems, as well as those with multiple sclerosis, epilepsy and memory disorders. It has offices in Amherst, Orchard Park, Derby and Batavia.
Dent patients who have questions about the email incident can call the institute at 250-2000.