The ACLU of Alaska claims that the Alaska Department of Corrections and its software provider, NaphCare, improperly exposed sensitive medical information of incarcerated individuals on a publicly accessible training website. However, NaphCare disputes these claims, stating that the information in question was fictitious.
The American Civil Liberties Union (ACLU) of Alaska has accused a software company used by the Alaska Department of Corrections (DOC) of violating medical privacy laws. According to the ACLU, the electronic health record system used by the DOC, known as TechCare, displayed private health information of at least 74 incarcerated Alaskans on a public training website since November 2023. It included diagnoses, prescriptions, and treatments, with records of at least three individuals incarcerated at Bethel’s Yukon Kuskokwim Correctional Center and the Lemon Creek Correctional Center in Juneau.
On October 1, TechCare’s parent company, NaphCare, removed the health data from the training website following a public demand by the ACLU. However, NaphCare disputes the ACLU's claim, stating that the displayed information was fictitious and used for training purposes. NaphCare asserts that an internal investigation confirmed that none of the records were related to actual DOC patients and that the website was mistakenly made public.
According to Juneau Empire, NaphCare refuted the claims on October 2, explaining that the health-related information displayed on the website was fictitious and part of a training manual. "Following a report that patient health information may have been publicly accessible, we initiated an investigation and determined a section of a training manual for our electronic health record system was made public, mistakenly," the company said. “NaphCare took immediate action to secure the exposed content and disable public access to training materials.”
According to the company, none of the 70 records identified by the ACLU contained real patient data. "Of the 70 records identified by the ACLU as possibly exposed, our investigation found that none of them included personal health information for Alaska DOC patients,” NaphCare added. The company is seeking a retraction of the ACLU's complaint.
The ACLU remains firm in its position, filing a complaint with the U.S. Department of Health and Human Services (HHS) and claiming that health records of real people were exposed. ACLU of Alaska Prison Project Director Megan Edge said the records had been publicly available since at least November 2023. She explained that she discovered the data while researching the DOC’s medical care practices and recognized the names of individuals who had been in contact with the ACLU.
“I saw names immediately as people that have been in contact with us, and so I recognized them immediately as real people, and I was familiar with some of their medical issues already,” Edge said. “So then we went through and checked as many as we could for who was still incarcerated and other people that we knew.”
Edge noted that one of the names identified was Mark Cook, an inmate at Lemon Creek who died in custody in April 2023. The ACLU had previously sought his medical records from the corrections department but was denied.
In response to NaphCare’s claims, the ACLU expressed further concern. “Everyone in Alaska, including incarcerated people, is entitled to the privacy of personal health information,” said Meghan Barker, an ACLU spokesperson. “NaphCare’s assertion that it hasn’t published any true information — but has instead published false health care information about real Alaskans — is extremely troubling and should be of great concern.”
See also: HIPAA Compliant Email: The Definitive Guide
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted in 1996 to protect the privacy of individuals' health information. It mandates that medical records and personal health data are kept confidential and only shared with authorized entities under strict regulations.
ACLU claims that NaphCare and the Alaska DOC violated HIPAA by making the medical information of incarcerated individuals publicly accessible. If true, this would represent a breach of HIPAA’s privacy regulations, as the law requires organizations to implement protective measures to ensure the confidentiality of patient data. The ACLU's complaint suggests that individuals affected by the data exposure were not notified promptly, as required by HIPAA guidelines.
NaphCare’s defense, that the data was fictitious and used for training, raises questions about the management of real and fictitious data, and whether even fictitious data linked to real individuals violates HIPAA protections. The law's emphasis on safeguarding patient identities makes this case particularly sensitive, especially given the vulnerability of incarcerated individuals and the high standard of care expected from state institutions.
Go deeper: What is HIPAA?
Medical privacy is a legal right protected by the Health Insurance Portability and Accountability Act (HIPAA). If true, the ACLU’s allegations point to a significant violation of this law, which could have wide-reaching implications for both incarcerated individuals and the systems in place to safeguard their private health information.
The U.S. Department of Health and Human Services will likely review the ACLU’s complaint and conduct an investigation to determine whether a HIPAA violation occurred. If the DOC and NaphCare are found to have breached HIPAA regulations, they could face penalties and will be required to notify the affected individuals within 60 days of the breach.
Red also:
The American Civil Liberties Union (ACLU) is a non-profit organization that works to defend and preserve the individual rights and liberties guaranteed by the Constitution and laws of the United States. It advocates for issues like free speech, privacy, criminal justice reform, and more.
A data breach occurs when sensitive, confidential, or protected information is accessed, disclosed, or used without authorization. In the healthcare sector, data breaches can involve the exposure of patient health information, which could violate privacy laws such as HIPAA.
Electronic health records (EHRs) are digital versions of patients' paper charts. They contain medical history, diagnoses, medications, treatment plans, immunization dates, allergies, and lab results. EHRs are designed to be shared among authorized healthcare providers for coordinated care.
Medical privacy ensures that individuals' sensitive health information is kept confidential and only shared with authorized entities. Protecting this information helps prevent discrimination, stigma, and misuse of personal data, and it upholds patients' trust in the healthcare system.