There’s more on a lawsuit previously mentioned on this blog, where patients sued a cosmetic surgeon, Dr. Michele Koo, for uploading before/after pictures to the Internet that could be found by a Google search on the patients’ names. The problem, at least in some cases, occurred because the patients’ names were embedded in the photos’ filenames.
Robert Patrick of the Post-Dispatch reports that the problem may be much more widespread than originally reported, involving numerous doctors and patients, and multiple third party providers:
Using the name of the company that ran Koo’s website, the Post-Dispatch found the problem to be widespread.
That company, Long Island, N.Y.-based MedNet Technologies Inc., boasts that it manages sites for more than 2,500 health care providers worldwide, “from large hospital systems to individual medical, dental and veterinary practices.”
[The patients’ lawyer] said he has been contacted by lawyers from four states, concerned about companies other than MedNet. “I think this is a much bigger issue,” he said.
As recently as early August, a simple Google search pulled up multiple doctors’ websites with patient pictures, names and the procedures they paid for: nose jobs, liposuctions, face-lifts or breast enlargements or reductions.
It took only minutes to find a patient photo linked to a full name on a website designed by Einstein Medical, a MedNet competitor in San Diego, for Dr. Dennis Hurwitz.
For its part, the vendor blames the surgeon, “saying the company did not post, control or influence the content. It also claims legal immunity under the Communications Decency Act, which protects websites from suits over postings by third parties.”
[…]
In recent days, the website for Dr. O.M. Suliman, of St. Petersburg, Fla., revealed names of patients with a simple roll of the cursor over images of their breast augmentations.
[…]
An Ohio woman said she had seen her pictures on the website of Dr. Daniel Medalie of Cleveland and wasn’t bothered. She had agreed to their use, and the picture did not show her face.
“I thought it was pretty anonymous,” she said.
When informed that her full name was linked to the photos, she said she was “not very happy.” She added, “It’s not something I agreed to at any point.”
Read more on the St. Louis Post-Dispatch.
Although patients informed the reporter that they had not received any breach notification from their doctors, this would appear to be a reportable breach under HIPAA. And if I had the time and an actual staff, I’d file under FOIA to see if these breaches were reported to HHS.