WECT Investigates: Privacy on the line

Reported by Casey Roman - blog|email
Posted by Debra Worley - email

WILMINGTON, NC (WECT) - You expect doctor's records to be private, but we've discovered that's not necessarily the case.

For the last month, WECT has been working on an investigation that is so sensitive, we waited until the problem was solved before airing this story.

Confidential mental health assessments from Evergreen Behavioral Management in Wilmington were available for all to see on the internet.

The records listed specific medications, doctors names, ages, address, personal relationships, and even addictions were found on the internet

"I got on and when I did it just floored me - you could just bring it up," said an informant.  "I was devastated. This thing goes all the way from 2006 up to 2009."

That was the reaction of the HIPAA trainer who found the documents.  He's made sure to keep his identity hidden since it is part of his job to teach medical facilities how to protect patient information to prevent a breach.

All it took to find the records was typing in a few key words and pages and pages of doctor's notes were revealed.

Evergreen Behavioral Management says privacy is their policy.

"With something like this, it does, it contradicts everything we've put in place, into practice," said office operations manager Kathie Hurley.

According to Hurley the security breach isn't the business' fault.

"It didn't come from our server, which is a very secured site," said Hurley.  "We have vendors who we contract some work out to. One of those vendors had a security break on their end."

On the other end was Deborah Hammonds, who company, Efficient Coding, transcribes Evergreen's doctor notes.  They're held on her Yahoo website that only Evergreen is suppose to have access to.

"It's gotta be a glitch because everything is password protected," said Hammonds.

But, it wasn't really a glitch, it was just technology.  Hammonds used a Yahoo website to store and transfer documents to Evergreen.

On a public web server, passwords keep files from the eyes of basic viewers, but not from Google's.

Google technology can look through any document, and it does.  Google robots "crawl" through the web, adding pages to it's giant index - like a collection of the pictures it sees.

That technology is suppose to help you by making searches faster by allowing you to view them as HTML.

Simply put, the confidential documents got their picture taken and got posted.

"I was definitely shocked," said Hammonds.  "When I got the phone call and they said our work is on the Internet, I said, 'There's no way! There's no way it's there.'"

They wouldn't be there if the code to keep them hidden had been used.  Hammonds said Yahoo never told her about the need for an extra code.

"It's a private domain that we told them was for medical transcription information and that needed to be secured to the highest specifics and that's what we were assured that we had," said Hammonds.

WECT asked Hammonds to see her website agreement with Yahoo, but haven't heard back.

A Yahoo engineer said Hammonds probably wasn't told about the code, but in an email, a Yahoo senior account executive wrote, "Yahoo's web hosting service provides full security, when properly enabled by the customer."

The cure for this problem was scrubbing off any trace of the documents from Google.  Now the confidential records are private - the way it's supposed to be.

Online confidentiality depends only on codes, it's not always a guarantee and it's certainly not implied.

From the time WECT learned the medical records could be seen online, it only took a few days to be removed from the web.

There's no way to know how long they were there before anyone found them.

©2009 WECT. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.