Late Friday afternoon, Montgomery County disclosed that its Office of Public Health inadvertently released personal information in response to a right-to-know request.
The Office of Public Health delivered unredacted personal health information related to COVID-19 cases and exposures in Montgomery County schools. It included the names of students and school staff from September to November 2020. Social Security numbers were not included.
The information released included students’ names, identification numbers assigned by the Office of Public Health, date of birth, age, sex, COVID test lab reports with dates, school names, current grade, and other information.
That sort of personal information is supposed to be exempt from right-to-know requests and health information is protected from disclosure under the Health Information Portability and Accountability Act (HIPAA).
“Unfortunately, instead of providing a redacted PDF document, the county inadvertently attached to the File the original Excel Spreadsheet with multiple tabs that contain the PHI and personal information,” officials said via a press release.
“This information was disclosed on or around March 15, 2021,” the release said. “The county became aware of this on May 21, 2021. Immediately following, the county investigated and took immediate steps to remedy the situation and to prevent future access, use, and disclosure of the information. Montgomery County identified the recipients of the file and requested that the recipients delete all personal information and that no further dissemination of the information occur.”
It is an example of the very sort of privacy issue that concerns Republican leaders in the state legislature.
On Thursday, the state Department of Health announced a plan to text 250,000 Pennsylvanians who received their first dose of the COVID-19 vaccine but did not yet receive the second dose, to encourage them to become fully vaccinated as the Delta variant continues to spread in Pennsylvania.
However, the announcement raises serious privacy concerns about whether the Department of Health has the authority to use personal information in this capacity, whether the information has been provided from the Department of Health to third party providers to facilitate the text messaging, how that contract was entered into, and what precautions are being taken to protect the information of Pennsylvanians, legislators said in a news release.
“Millions of Pennsylvanians have admirably stepped up to receive the COVID-19 vaccine, but no Pennsylvanian—even those partially vaccinated—gave permission to the Wolf administration to send them a text message or provide their private health and personally identifiable information to a third party vendor or anyone else,” said Pennsylvania House Republican Caucus Spokesperson Jason Gottesman.
“Given this administration’s shoddy track record of protecting Pennsylvanians’ private health and personally identifiable information, questions remain about how this information is being stored, who is facilitating this text messaging program, and what assurances have been provided that this information is being kept secure,” he said.
People who received the vaccination had no expectation that their private information would be disclosed to a third party, he pointed out.
“While everyone is committed to stopping the spread of this virus and associated variants, including through a robust vaccine deployment, this is nothing short of bait and switch by the Department of Health that does nothing to further confidence in the vaccine distribution process or the security of private information given to providers or government entities,” Gottesman said.
Meanwhile, Montgomery County officials promise to do better in the future and have begun reviewing training materials and procedures.
“The county takes the situation very seriously, and we acted immediately in responding to and investigating the incident. We have done everything under the law to remedy this situation and make sure it does not happen again,” a spokeswoman said.
County officials also notified everyone affected via mail, as well as the secretary of the United States Department of Health and Human Services as required by law.
