Personal info from more than 500 Alaskan patients on Web

SITKA, Alaska (AP) — A Sitka resident conducting an Internet search recently helped reveal that the personal information of more than 500 patients of a local chiropractor was available on the Web.

Dr. Paul Beane, a chiropractor at the Sitka Wellness Center, told the Sentinel an "electronic medical record software vendor" he used for about 9 months in 2008 had stored patient information, including names, dates of birth, social security numbers and addresses, on a Web server in an "unsecured text file" that was easily accessible.

Beane said up to 566 of his patients had their information compromised, although Sitka police said there have not yet been any reports about suspicious activity that might be tied to the security breach.

Beane's patient who made the discovery during a Google search Saturday realized the personal information was accessible and called police.

Lt. Barry Allen said an investigating officer was then able to pull up "fairly complete" information on a number of other Sitkans, including some employees of the police department.

Allen said the available information "varied from party to party," but in some cases was complete. He said he "recognized a lot of the names" on the patient list.

The patient information has since been removed from the Web and Beane said he is working with Google to have it scrubbed from Internet archives as well. It is not clear how long the information was available on the Internet.

Beane put the blame for the leak squarely on EMR4Doctors.com, a company Beane used when he switched to electronic records in April, 2008.

"I'm absolutely furious that this happened," Beane said. "I will do everything in my power to bring the person responsible for this to justice."

He added: "Hopefully, my patients will acknowledge the fact that this has nothing to do with me and everything to do with the vendor."

Beane said he used the software provider from about April 2008 to January 2009, when he switched back to paper records. The company, which Beane said is registered in Nevada, apparently stopped doing business in 2009. A number for the company was disconnected, and there was no current listing for it in Las Vegas.

Beane said he did not believe the records were posted intentionally, but called the security breach "sloppy and careless."

Allen said that until police receive a report about the information being used fraudulently, no criminal charges will be made. He said police would probably "package up" the information they have about the case and send it to the state attorney general in the next few days.

"Until somebody uses the information it's more of a civil issue," Allen said.

Beane, who is working with a lawyer in Pennsylvania, said he was "exploring his legal options," which could include a civil lawsuit against the software vendor.

"This has been a nightmare," he said. "I want justice for my practice and for my patients."

Beane said he was required by law to contact the media about the security breach. He's also working with the federal Department of Health and Human Service's Office of Civil Rights and the Internet Crime Complaint Center.

Beane thanked the Sitkan who discovered the patient information for reporting it, saying that person "did a service" for the community.

Beane was in the process of notifying his patients about the situation, as required by law, and encouraged them to file complaints with the Internet Crime Complaint Center. Sitkans with questions can contact Beane at 907-747-2726.


Information from: Daily Sitka Sentinel, http://www.sitkasentinel.com/

Comments

Use the comment form below to begin a discussion about this content.

Please review our Policies and Procedures before registering or commenting

News Tribune - comments