Health information for at least 74 inmates in Alaska’s prisons, including Lemon Creek Correctional Center in Juneau, was improperly accessible to the public online via an electronic record system used by the Alaska Department of Corrections, the American Civil Liberties Union of Alaska stated in a letter Monday.
The data was no longer publicly viewable on Tuesday morning after the letter was sent to the corrections department commissioner and the company responsible for the record-keeping software, ACLU of Alaska Prison Project Director Megan Edge said in an interview Tuesday afternoon. However, she said such data apparently had apparently been available since at least Nov. 30 of last year.
Edge said she became aware the inmate data was available at the electronic health records website TechCare while doing research about Department of Corrections medical care and facilities as part of her advocacy work. The ACLU’s letter shows screenshots including real people’s names, medications and other data were included as illustrative examples in a user manual accessible to the public at the website.
“I saw names immediately as people that have been in contact with us, and so I recognized them immediately as real people, and I was familiar with some of their medical issues already,” she said. “So then we went through and checked as many as we could for who was still incarcerated and other people that we knew.”
One of the names was Mark Cook, an inmate at Lemon Creek who died in custody in April of 2023, whose medical records the ACLU had sought from the corrections department and were denied, Edge said.
“They declined to answer because it would have been a violation of HIPAA,” she said, citing the federal Health Insurance Portability and Accountability Act (HIPAA). “It’s sort of the tragic irony…(that) here, though, his private medical information became public.”
The ACLU’s letter states personal health information revealed at the website in violation of HIPAA “includes diagnoses, including for mental health conditions; prescription medications and their dosages; and whether and when a patient began substance use treatment, among other information.”
The TechCare database is provided by Alabama-based NaphCare Inc. Edge said her research showed similar inmate data was also exposed in Arizona, although a check with national ACLU officials did not immediately turn up problems in other states.
The Department of Corrections, in an emailed statement, noted “we take any potential breach of security very seriously and are working closely with NaphCare to ensure the matter is handled with the utmost care and transparency.”
“In the meantime NaphCare has proactively disabled the website in question and is conducting a thorough investigation to determine whether any patient data was compromised or accessed,” the department’s statement notes. “They have committed to keeping the Department of Corrections informed as they gather more information and will provide updates on the measures they are implementing to resolve the issue.”
NaphCare issued a similar statement, noting “we are also taking proactive steps to further secure patient information, notify patients to the extent any information was compromised, and limit the potential effects of any disclosure that may have occurred.”
Edge said while the website was taken down shortly after the ACLU’s letter was sent, it doesn’t absolve the Department of Corrections from responsibility for the information people had access to.
“Regardless of that DOC is responsible for making sure that all of their contractors are upholding their end of the bargain,” she said. “And in this case one of their contractors did not.”
The ACLU letter states HIPAA requires DOC and NaphCare to notify every patient whose information has been disclosed or was threatened as a result of the breach within 60 days.
• Contact Mark Sabbatini at mark.sabbatini@juneauempire.com or (907) 957-2306.
