Last week's posting of medical records hacked from an Ohio medical group is raising questions about social media's role in protecting patients' privacy.
A Twitter account with the handle @pravsector contained a screenshot of a spreadsheet page with two dozen patients' names, addresses, phone numbers, dates of birth, their insurance carriers and insurance ID numbers, and for some, abbreviated diagnoses such as “prostate” or “sex drive.”
The tweet included a link to a Google Drive account, reportedly containing thousands of documents from Central Ohio Urology Group, a multisite practice based in a Columbus suburb.
Adam Greene, a healthcare privacy lawyer with Davis Wright Tremaine in Washington, D.C., said he's never before seen hackers expose patient data through social media.
The post remained on Twitter for at least 16 hours. Neither Twitter nor Google responded to requests for interviews by deadline. A message on the Ohio group's phone said a probe into the breach, including identifying all those patients affected, is expected to take several weeks.
Last year, an ESPN anchor tweeted a National Football League player's medical record showing the player's right index finger had been amputated after a fireworks accident.
The record did not say where the procedure was performed, though some media outlets alleged that the record had been leaked by an employee of Miami-based Jackson Health System. CEO Carlos Migoya took to Twitter to state that Jackson Health was aggressively investigating the allegations.
But Twitter was not implicated in any wrongdoing.
Anyone, including physicians, nurses and other healthcare employees who post patient information are subject to penalties under the Health Insurance Portability and Accountability Act. But social media hosts have not historically faced any punishment for their role in maintaining breached information public.
Kirk Nahra, another privacy expert and attorney with Wiley Rein in Washington, D.C., couldn't recall an instance where social media was used to link to a purloined data trove, but he warned against using clouds to store information, as that data could become vulnerable in the more open arena.
“We've seen a bunch of those cases where they were using stuff for convenience and didn't think of the security implications,” he said, “All of these technological opportunities to make things easier (and) often more effective, carry with them risks.”