Med School error releases kidney donors’ names

Tim Sturrock

Two recent breaches of confidential information at the University Medical School have reinforced concern among school officials regarding the security of clinical records.

The most recent breach occurred in late December, when 410 kidney recipients were sent letters containing the names of their deceased donors.

The letters were part of a survey researching the long-term care of kidney recipients, said Dr. Richard Bianco, assistant vice president for regulatory affairs.

Due to a software upgrade, a database inadvertently included the donors’ names in the letters.

Bianco said although the breach was caused by a computer glitch, human error played a part because the donors’ names weren’t spotted before the letters were mailed.

Bianco said the researchers have sent out letters asking the recipients not to contact the donors’ relatives.

So far, one man related to a kidney donor has told Medical School officials someone was trying to contact him. The school has also received calls from kidney recipients who said they want to thank donors’ family members.

Bianco said the school is taking the breaches seriously and doing all it can to avoid them in the future. Clinical researchers will receive more education on the systems they use and have received a letter re-minding them to be vigilant in protecting patient confidentiality. The letter also said people will be held responsible for mistakes.

Bianco said the timing of the letter was coincidental and security had been a concern even before the letters were mistakenly sent.

In November, clinical information on 20 children was accidentally posted on the Internet.

“It’s not really an issue that’s isolated to organ transplants; it’s not isolated to the University of Minnesota. It’s going to be a bigger issue as more health information becomes available electronically,” said Jeffrey Kahn, director of the Center for Bioethics.

Kahn said the main issue is the Medical School broke an agreement to keep the information confidential. But in a case like this, simply breaking patients’ trust is not the worst scenario, he said.

Requests from donors’ relatives for financial compensation from recipients are also a possible result of such breaches, he said.

Charles Moldow, associate dean of the Medical School, said mistakes will happen but “two instances in a short period of time is more than disturbing.”

Moldow currently heads a committee reviewing and inventorying electronic information in preparation for federal regulations. The regulations are part of the Health Insurance Portability and Accountability Act and dictate how health organizations can and cannot handle information.

Moldow said he is pleased with the emphasis on keeping information secure. But he said as medicine becomes more computerized, opportunities for mistakes increase.

He said there are so many ways for information to be used that it is difficult to prepare for every potential breach. For example, unsolicited e-mails from patients could be unintentionally sent.

Moldow said some of the measures in the act go too far and prohibit gathering information for some studies that could benefit public health.

He said he doubts the accidents would have been prevented even if the University had complied with all the new regulations.

Both mistakes have been sent to the National Institutes of Health for review.