Following an augmentation mammoplasty, the patient, “Mary Smith”, signed an authorization granting her physician permission to use her “before and after” photographs, with assurances that her identity would not be revealed.
The physician contracted with a medical website development company, which created a website with a photo gallery for “before and after” pictures. The company provided a program that allowed the physician to rename and upload photograph files from his personal computer to his photo gallery. The photo gallery program automatically “scrubbed” all patient identification from the file’s metadata to prevent any breach of identity.
The company also designed a blog as part of the website to increase the number of “hits” and installed a different program that allowed the physician to select and upload photographs from his personal computer to the blog. This program also allowed the physician to change the photograph’s file name to conceal the patient’s identity. However, the blog program did not automatically “scrub” the patient’s identification from the metadata, which also contained the patient’s name. The patient’s identity breach occurred when the physician uploaded the patient’s photographs to the blog.
Although the patient’s name was not displayed when the photographs were viewed on the blog, the metadata still contained the patient’s identification, which meant that an online search for “Mary Smith” would return links to the photos.
A humiliating identity breach
To prevent this identity breach, the physician would have had to manually remove the patient’s name from the metadata on his personal computer prior to uploading the photos to the blog. Unfortunately, the website development company did not inform the physician about the need to change the metadata manually, and it wasn’t mentioned in the instructions provided with the software program.
Internet search engines create and rank search results by scanning (or “crawling”) websites using software called an Internet Bot (a.k.a. web robot) that sends “crawlers” over the Internet to identify new and updated pages to add to their search indexes. When it detects new links on a site, it adds them to its list of pages to crawl. In this case, the search engine identified the source codes in the metadata on the blog, which contained the patient’s name, and added them to the search index with a link to the photographs. When “Mary Smith” was entered into the Internet search engine, her name appeared in the search results. When selected, the link opened to the photographs—even though her name was not visible.
This problem continued for a short time after the photographs were removed from the website because images remain in a search index until the website is rescanned (or “recrawled”) and it recognizes that images have been removed. This may take weeks.
The physician had also placed the photographs on other websites, but no identity breaches occurred because the software on the other sites had automatically scrubbed the patient’s name from the metadata. The patient filed a claim alleging that she had suffered shame, humiliation, embarrassment, anxiety, and loss of sleep.
Unintended consequences when working with unfamiliar technologies
This case occurred several years ago, and, considering the logarithmic rate of change in the information technology world, the programming and Internet events leading to this event may or may not continue to be a risk. Although the risk of this particular event may now be reduced because of improvements, it is always important to research healthcare-related technologies thoroughly before implementing them.
If denying access to your website by Internet search engines or web crawlers is an important risk management consideration in your practice, you should research the best ways to block them from your site (e.g., can Internet crawlers access encrypted and password-protected websites?).
This case illustrates the dangers of unintended consequences when adopting new or unfamiliar technologies. The electronic health record (EHR) is another example—The Doctors Company studied medical malpractice claims in which the EHR was a contributing factor and found several risk areas, such as:
- Point-and-click lists, drop-down menus, templates, canned text, and auto-population of data fields from personalized or packaged templates (for both procedure notes and the history and physical [H&P]) produce redundant, formulaic information that makes it easy to overlook significant clinical information.
- Frequent drug-drug interaction alerts lead to “alert fatigue”, sometimes causing physicians to override or disable them.
- EHRs facilitate e-prescribing—which also creates exposure to community medication histories where drug-drug interactions are time-consuming to trace.
- Templates with drop-down menus facilitate data entry but are often integrated with automated features elsewhere in the EHR, where errors can be easily overlooked and disseminated. If an item is selected above or below the one desired, for example, “qd” can become “qid”.
This post was sponsored by The Doctors Company, the nation’s largest physician-owned medical malpractice insurer.
David B. Troxel, MD
David B. Troxel, MD, is secretary of the Board of Governors and medical director of The Doctors Company. Dr. Troxel is clinical professor emeritus, School of Public Health at the University of California at Berkeley. He is past president of the American Board of Pathology and the California Society of Pathologists. He serves as chairman of The Doctors Company Foundation and as a member of the Patient Safety and Technology Committees at The Doctors Company.