The ACLU of Alaska’s Prison Project recently uncovered violations of the federal Health Insurance Portability and Accountability Act (HIPAA) by the Alaska Department of Corrections (DOC) through the electronic health record (EHR) system that DOC utilizes at facilities across the state.
The EHR system, TechCare, is a proprietary software of NaphCare. It has showcased the protected health information (PHI) of at least 74 incarcerated Alaskans on its training website since at least November 30, 2023. The posted PHI includes diagnoses, including for mental health conditions; prescription medications and their dosages; and whether and when a patient began substance use treatment, among other information.
“DOC is Alaska’s largest provider of mental health and substance use services in the state and must manage the incredibly sensitive information of Alaskans,” said Megan Edge, Director of the Alaska Prison Project. "DOC is responsible for protecting and ensuring their right to privacy. This disturbing discovery demonstrates that it has failed. DOC must remedy the breach immediately, as is their duty.”
The ACLU of Alaska sent a demand letter to DOC Commissioner Jen Winkelman and the Chief Legal Officer for NaphCare Justin Barkley demanding that the site be taken down or made private immediately. The ACLU of Alaska has also filed an official complaint with the Secretary of U.S. Department of Health and Human Services because of the gravity of the breach.
“The tragic irony of this breach is that the Department of Correction hides behind HIPAA as its reason for not releasing information about deaths that occur in its custody. This breach shared Mark Cook’s private information, but when he died at Lemon Creek Correctional Center in 2023, DOC officials cited HIPAA while declining to answer questions about Cook’s care and treatment prior to his death. DOC doesn’t get to cherry-pick when HIPAA applies,” said Edge.
HIPAA requires DOC and Naphcare to notify every patient whose information has been disclosed or was threatened as a result of the breach within 60 days.