Printer Friendly, PDF & Email

Columbia Email Breach Shows Need for Research Safeguards

Compared to privacy breaches that routinely affect millions, the one suffered by Columbia University Medical Center in 2016 was tiny, but the information exposed was among the most sensitive. In November of that year, a Columbia researcher notified an internal board overseeing her study that email addresses of 145 individuals involved in HIV/AIDS research were visible in a recruitment pitch. A study coordinator had included individuals’ addresses in the CC portion of an email inviting participation in a related upcoming study.

Because only breaches affecting 500 or more individuals are required to be made public under federal law, smaller incidents like this one may remain secret. But in Columbia’s case, the breach, which also appears to be reportable under HIPAA, came to light because a U.S. agency found that the medical center violated U.S. regulations governing research by failing to report what had happened.

Last month, the HHS Office for Human Research Protections (OHRP) published a determination letter that it sent to Columbia University indicating that the email disclosure was considered a “breach in confidentiality” that qualified as an “unanticipated problem involving risks to subjects or others.” Such problems are to be “promptly” reported to OHRP; this one wasn’t until months later and only after the agency, acting on a complaint, contacted Columbia.

OHRP said Columbia had delayed its report to the agency because its “investigation was still pending,” but this is not an allowable reason for lack of a prompt notification.

The email breach, which a former OHRP regulator calls “shocking,” offers reminders that maintaining privacy is just as important in studies as it is in treatment settings and that when the protected health information (PHI) is research-based, an organization may face actions by an agency other than the Office of Civil Rights (OCR). Additionally, organizations will want to review the corrective actions Columbia took in the wake of the email breach, including terminating the study coordinator.