The private, legally protected medical information of 74 incarcerated people in Alaska was displayed on a publicly accessible website by a state Department of Corrections contractor, the ACLU of Alaska said Tuesday — with the full names of inmates attached.
An ACLU of Alaska staff member doing research stumbled across what appeared to be a training website for NaphCare, the Alabama-based for-profit prison health care giant the state contracts with for correctional health records management and found training examples that divulged what seemed to be highly sensitive medical information, said Ruth Botstein, the ACLU of Alaska’s legal director.
“And at first it was like, these must be fake names,” she said. “But when we looked, they were jumping out as people we recognized.”
The website showed full names of dozens of Alaska inmates along with prescription medications, dosages, and physical and mental health diagnoses, as well as whether and when a person was in substance use treatment, Botstein said.
All of that is “very core health information that unquestionably is supposed to be kept private under HIPAA, a federal law,” she said.
The website had been taken down as of Tuesday, she said.
Private health data of 54 inmates in Arizona was also leaked on the website, the Arizona Republic reported.
The Department of Corrections learned of the breach Monday, a spokesperson said in a statement.
“We take any potential breach of security very seriously and are working closely with NaphCare to ensure the matter is handled with the utmost care and transparency,” the statement said.
Birmingham, Alabama-based NaphCare did not answer questions about how the breach happened, the company’s contract with the state of Alaska or specific measures to respond to the publication of the sensitive medical information.
In a statement, the company said it takes patient privacy and health information security “very seriously.”
“We are also taking proactive steps to further secure patient information, notify patients to the extent any information was compromised, and limit the potential effects of any disclosure that may have occurred,” the statement said.
NaphCare is part of a growing industry of private companies that provide physical and mental health care in U.S. jails and prisons. A Reuters investigation into deaths and quality problems linked to for-profit prison health care found that 60% of jails nationwide now use some kind of private contractor to deliver health care.
The Alaska Department of Corrections has a five-year $2,791,100 contract with NaphCare for electronic health record, said department spokeswoman Betsy Holley. The DOC also has a separate contract with NaphCare for dialysis services at Goose Creek Correctional Center, for up to $1,500,000 per year. So far this year, the state has paid $77,631.00 for dialysis services, Holley said.
NaphCare paid registered Alaska lobbyist Robert Evans $120,000 over two legislative sessions in 2021 and 2022, records show. In 2020, NaphCare paid Evans $5,000 a month.
The breach is all the more galling for the fact that prisoners have no way of keeping their medical information private themselves and are reliant on the Department of Corrections to do so, Botstein said.
HIPAA — the Health Insurance Portability and Accountability Act — is often invoked by the department as a shield from releasing information, including when people have died while incarcerated, Botstein said.
“They sort of use HIPAA as a reason that they can’t produce health information even to the grieving families, which is not what HIPAA is about,” she said. “But this is what HIPAA is about. This is the very core command of HIPAA — to keep patients’ personal, private health information confidential.”