Private medical information published on county Web site

EDINBURG — The names, Social Security numbers and treatment descriptions for 25 indigent patients were posted on the county’s Web site for nearly two months before Hidalgo County officials took them down Monday.

The information — included in documents linked to Commissioners Court’s May 29 meeting agenda — specified medical procedures, costs and the personal information of those covered by the program.

The information was removed from the county Web site Monday afternoon after The Monitor contacted county officials about the situation.

Eduardo Olivarez, director of the county health and human services department, said he had no idea why the patients’ personal information was published on the Web. He said the department is conducting an internal investigation into the matter.

“I’m not sure how it got there,” Olivarez said. “I apologize. I just don’t know how it happened.”

The services delivered to the indigent patients were for emergency room visits between September 2003 and December 2004.

Attempts by The Monitor to reach patients listed on the medical invoices Monday were unsuccessful.

Susan McAndrew, deputy director for health information privacy at the U.S. Department of Health and Human Services in Washington, D.C., said disclosure of an individual’s name or Social Security number violates federal health privacy laws.

“A covered entity may only use or disclose protected health information as permitted by the Rule — for example, to treat the patient, have the treatment paid for, or other business and administrative activities needed to operate the entity — or as authorized by the individual,” McAndrew said in a e-mailed statement.

County public information officer Cari Lambrecht said the private information had been removed from the Commissioner’s Court minutes but did not know whether county officials would notify the affected patients of the identity breach.

“We have not talked about it,” she said.

Paul Stephens, a spokesman for California-based consumer rights group Privacy Rights Clearinghouse, said publishing the indigent patients’ Social Security information leaves them vulnerable to identity theft.

While the compromised data came from low-income residents, identity thieves generally use stolen Social Security numbers to open fraudulent credit card accounts and sign up for cell phone contracts.

McAndrew said people who believe their private health care information has illegally been made public should file a complaint with the HHS Office of Civil Rights at 1-800-368-1019.

———

Jared Taylor covers Edinburg and general assignments for The Monitor. You can reach him at (956) 683-4439. For this and other stories, visit www.themonitor.com.