Public Safety

ACLU alleges "massive" HIPAA violation by Alaska DOC. The company responsible says it didn't happen

KYUK | By Sage Smiley

Published October 3, 2024 at 9:01 AM AKDT

A screenshot from the ACLU of Alaska reportedly shows patient data from incarcerated patients in the Alaska correctional system that was displayed on a public-facing training page by a company contracting with the Alaska Department of Corrections. The company said that there was no breach of federal privacy laws because the data was fabricated for training purposes.

The American Civil Liberties Union (ACLU) of Alaska said that it uncovered a “massive” violation of medical privacy laws by a software company used by the Alaska Department of Corrections (DOC). But the software company at the center of the complaint claims that’s “false and misleading,” and that there was no breach of data privacy.

The ACLU asserts that the electronic health record system used by DOC was displaying private health information of dozens of incarcerated Alaskans on a training website since at least November 2023.

The ACLU said that electronic records displayed diagnoses, prescriptions, and treatments of “at least 74” incarcerated Alaskans. That included at least three individuals incarcerated at Bethel’s Yukon Kuskokwim Correctional Center.

The electronic record system, called TechCare, pulled the records off of the training site on Oct. 1 after the ACLU publicly demanded that the DOC and TechCare’s parent company, NaphCare, take down the site or make it private.

But the company now says that it’s not at fault. In a written statement on Oct. 2, NaphCare said that the health-related information displayed on the training site was fictitious data put there for training purposes. It stated that the training website had inadvertently been made public. NaphCare said that its internal investigation found that none of the 74 patient records identified by the ACLU contained patient data from the Alaska Department of Corrections.

The ACLU of Alaska said that it filed a complaint with the United States Department of Health and Human Services because of “the gravity of the breach.” Federal law requires that the DOC and NaphCare notify the patients whose data was disclosed within 60 days.

Reached Oct. 2, the ACLU of Alaska said that it doesn’t plan to retract its complaint with the U.S. Department of Health and Human Services, despite NaphCare’s claim that it didn’t publish any true information.

The ACLU called NaphCare’s claim that it published false health care information about real Alaskans “extremely troubling” and “of great concern,” and said that it hopes NaphCare still notifies individuals who had allegedly fictitious medical statements about them made publicly available.