Johns Hopkins responds to serious patient privacy breach (update 2)

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.phiprivacy.net/?p=11694

Justin Fenton, Scott Dance and Jessica Anderson report on a
nightmarish privacy breach for patients and a hospital:

A Johns Hopkins gynecologist who was being investigated on allegations
that he secretly recorded patients was found dead this morning at his
home in Baltimore County, police and hospital officials confirmed.

The doctor, identified as Nikita A. Levy, 54, was let go by Hopkins
earlier this month when another employee alerted Hopkins security
staff to the allegations, Hopkins officials said in a statement. They
said Levy had been photographing patients with personal photo and
video equipment.

Kim Hoppe, a spokeswoman for Hopkins, said a “few patients” have been
notified and a police investigation is ongoing. She said a call center
had been set up for his patients to offer them counseling.

Read more on Baltimore Sun.

Offering his patients counseling sounds like an appropriate response,
but I’m not sure what they intend in terms of the extent of counseling
and whether they will make face-to-face counseling available with
psychologists or psychiatrists.  I’ve e-mailed the hospital to request
more details on what this part of their breach response involves and
will update this entry if I get a response.

Update: I have not received any response from the hospital, despite
two e-mail requests to them in the last 24 hours.  The Washington
Post, however, reports that the hospital, which first learned of the
allegations on February 4, will be sending a second letter to
patients.

Update 2: I am still trying to get clarification on what their
statement means by “counseling,” but Kim Hoppe, a hospital
spokesperson, sent the following statement:

After being alerted by an employee, on February 4, 2013, our security
department at Johns Hopkins initiated an investigation of Nikita Levy,
M.D., a Hopkins obstetrician/gynecologist. Within a day, we determined
that Dr. Levy had been illegally and without our knowledge,
photographing his patients and possibly others with his personal
photographic and video equipment and storing those images
electronically. At that time, in order to protect patient welfare, Dr.
Levy was prohibited from any further patient contact.

Johns Hopkins promptly reported this activity to the Baltimore City
Police Department. In light of this information, which Dr. Levy
acknowledged, we ended his employment on February 8 and offered him
counseling services. We then sent a communication to Dr. Levy’s
current patients to assure continuity of care and to help them
reschedule appointments with another provider.

Any invasion of patient privacy is intolerable. Words cannot express
how deeply sorry we are for every patient whose privacy may have been
violated. Dr. Levy’s behavior violates Johns Hopkins code of conduct
and privacy policies and is against everything for which Johns Hopkins
Medicine stands. We continue to work closely with law enforcement
officials and will assist them in any way possible. Apart from a few
individuals who have been notified, we are not aware at this time of
the identities of any other people who may have been photographed by
Dr. Levy. We are continuing to investigate.

Tragically, yesterday we learned that Dr. Levy apparently has taken
his own life. We send our condolences to his family and friends.

Since this is an ongoing police investigation, we have been asked not
to provide any more detail at this time.

In order to ascertain the full extent of this matter, the Johns
Hopkins Medicine Board of Trustees will be setting up a separate
independent investigation which will work in tandem with law
enforcement. The Board expects to name someone shortly to head up the
independent investigation.

We regard our patient’s right to privacy and professionalism as
fundamental and foundational. We deeply regret any distress
experienced by our patients and their families.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.