Tulane Campus Health breach left patient names, appointments visible

tulane+campus+health

Adrienne Underwood

Less than a week after TUPD unintentionally publicized crime victim identities, Tulane Campus Health has a privacy breach.

Rohan Goswami, News Editor

As of Dec. 6, the full names of hundreds of patients for at least one Tulane University Campus Health doctor were left publicly visible to all individuals with a Tulane University email address, in a privacy breach with significant implications for patient confidentiality.

The information was accessible via Microsoft Outlook’s calendar feature, without privacy measures redacting private information about meetings and appointments on other individuals’ calendars.

After being alerted to the breach, Tulane secured patient information.

The doctor, who will remain unnamed for patient privacy reasons, left patient names uncensored, as well as the specific dates and times of their appointments.

Campus Health is an entity covered by the Health Insurance Portability and Accountability Act of 1996, which requires it to maintain strict confidentiality around patient names, records and information. The accessibility of this data may suggest a violation of both federal law and Tulane’s own regulations regarding patient privacy.

Campus Health uses a software called Medicat to store patient records in a way compliant with federal law restricting release of medical information. Microsoft Outlook is not compliant with privacy laws by default, and it is unclear why the medical provider treated it as such.

This comes after the Tulane University Police Department failed to secure crime victims’ names through similar Microsoft software and publicized the private information of those needing TUPD’s assistance.

Tulane declined to comment.

This is a developing story and will be updated as more information becomes available.