Release of organ donor data prompts changes

From...

By Brian Sullivan

(IDG) -- The University of Minnesota has removed the names of organ donors from a database used to generate letters to organ recipients to prevent any more erroneous releases of information after a breach, said Dick Bianci, assistant vice president at the university.

Last month, while conducting a survey, the university inadvertently identified more than 400 donors to the recipients who had received their kidneys. Bianci said the university regretted the error and accepted the criticism of the Minnesota Citizens' Health Care Council, which chastised the university for the error.

IDG.net INFOCENTER Computerworld main page Computerworld's topic-oriented communities Computerworld's IT career center Free daily newsletters Related IDG.net Stories FTC settles with Eli Lilly over security snafu Eli Lilly cites programming error for e-mail privacy gaffe Wearable storage device keeps records with patients Features PC World.com Product Finder Mastering e-commerce by degrees Fast-track training puts nontechies in IT jobs Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

The president of the health care council, Twila Brase, said she saw no reason for the donors' names and the recipients' names to be in a database that had the potential to be released.

"I can't argue with that," Bianci said. "There was no reason to have the cadaver donors' names in the database."

He said the donors' names have been removed.

"That is great," Brase said. "It shouldn't be on a database, it is a breach just waiting to happen."

Bianci said a researcher had been using the database to conduct a survey of recipients. The database had grown too large over time, and the researcher asked the IT staff for help. The result was a change in the software that allowed the recipients to learn who their donors were.

"We have IT people and researchers, and neither of the groups knows what the other is doing sometimes," Bianci said. "From a nontechnical standpoint, and that is the only way I can talk about computers, they changed something in the software and a field that was supposed to be suppressed was no longer suppressed."

Bianci said that he can't guarantee there will never be another computer-related glitch at the university concerning patient information, but he said the donor information will never be revealed in the way it was again.

The Minnesota breach is the latest in a list of accidental releases of private medical information being made public. The most recent was when Indianapolis-based Eli Lily and Co. sent an e-mail to more than 600 Prozac users that carried the name and e-mail addresses of every recipient in the message. The Federal Trade Commission later settle a complaint against the company.

Bianci said that these problems point out the need for privacy guidelines in the Health Insurance Portability and Accountability Act (HIPAA).

Brase said that her group doesn't think HIPAA goes far enough in protecting patient confidentiality.