Mass. Marijuana Program HIPAA Breach Reported
A violation of the HIPAA Privacy Rule has been reported after the Massachusetts Health Department sent a mailing to patients enrolled in its medical marijuana program. The violation involves a bizarre oversight, which should have been detected prior to the email being sent.
Over a period of three months more than 6,800 emails were sent to patients advising them that they had been approved to join the medical marijuana program run by the state. This information is sensitive and should have been communicated to the patients via a secure medium.
The mailing the patients received included a subject line of “Confirmation of Patient Certification in the Medical Use of Marijuana Online System.” Also contained in the emails was the intended recipient’s full name and registration number.
Since the emails contained personal identifiers and the choice of subject line, this incident is considered to be a breach of HIPAA Privacy Rule as the enrollment in the program can be classed as medical information. Also of concern is the incident involved a unique code and the patient’s email address, which is all that is required to get through the first level of security on the state’s database, according to a report by the Boston Globe. Once through that level of security other personal information could be obtained.
Since being notified about the potential HIPAA breach caused by the mailing, the Mass. Health Department changed the subject line to ensure the content of the message could not be determined, although the email was still being sent from a “MedicalMarijuana” email account. The Globe reports that the email account is in the process of being changed.
Deputy Director of the Massachusetts Patient Advocacy Alliance, Nichole Snow, spoke out about the incident and said that “I was shocked to see that [subject line],” and “This information should be treated sensitively.”
In response to the incident, communications director for Governor Charlie Baker, Tim Buckley “is reviewing the medical marijuana program from top to bottom, including concerns regarding patient privacy.”
It was pointed out that no passwords or personal information were sent in the email. To gain access to the healthcare provider’s system a link in the email must be clicked and a login and password must be entered.
Care Must be Exercised when Sending PHI over Email Networks
Emails are now accessed at home, at work and elsewhere on mobile devices. Message notifications can alert anyone in the vicinity that there is a message waiting. Messages may be viewed in public, such as in libraries or schools and there is no guarantee that the intended recipient will be the first person to see the message.
In this incident, anyone walking past an individual who was checking their emails could have been instantly alerted to the fact that the individual was enrolled in a medical marijuana program.
That information could potentially cause harm to that individual, result in discrimination or potentially loss of opportunities and employment. It is essential that information such as this, or any other medical matter, is not written in the subject line of an email.
Many healthcare providers use automatically generated generic subject lines such as “new patient gateway message” or similar to avoid this problem. The recipient can then choose to open that message in private to prevent the accidental disclosure of medical information.