Optometry records no longer visible to public

For about a month, medical information pertaining to the eye health of 757 IU School of Optometry patients was visible on the Internet.

The information, which was stored on a teaching server by former faculty member Kevin E. Houston, O.D., was originally secure and available to optometry students for educational purposes, said April Haag, IU School of Optometry compliance and privacy officer.

However, when the server was reconfigured Aug. 12, an error exposed the information to the Internet.

Because Houston left the school in June and the server was not re-configured until mid-August, no one realized it contained protected medical records.

“When Dr. Houston put the information on the teaching server, it wasn’t designed to hold protected health information,” Haag said.

The school was notified of the information breach Sept. 9. It shut down the server, and within 24 hours, cached copies indexed by a major computer search engine were removed. Letters were sent to the 757 affected patients Sept. 30.

“We don’t know that their information was seen by anyone, just that it could have been seen,” said Mark Land, associate vice president of University Communications.

Those affected by the breach came from a specific subset of patients at the school’s low-vision clinics in Carmel, Ind., and Indianapolis who were seen between January 2007 and June 2011.

Certain hospital inpatients seen by Houston from August 2007 to August 2008 were also included. The leaked medical history contained only information on the patients’ eye health and did not contain any information that could make a patient susceptible to identity theft, such as addresses, telephone numbers, email addresses, social security numbers, credit card numbers, driver’s license numbers or other financial
information.

Haag said there is a regulatory agency that manages Health Insurance Portability and Accountability Act violations, commonly referred to as HIPAA, and the school has fulfilled its legal obligation to file the breach with the Office of Civil Rights with the Department of Health and Human Services.

The school is revisiting its policies and procedures about where secure information should and should not be stored, as well as launching an education campaign with all of its faculty, Haag said.

“It’s a cascade failure,” she said. “I wouldn’t put it on one person. At the end of the day, it’s the School of Optometry’s responsibility to secure our patients’ information, and we are treating it that way.”