Updated October 2, 2024: As of October 1, 2024, the protected health information (PHI) and data breach for incarcerated Alaskans have been removed from the TechCare website. On October 2, 2024, the ACLU of Alaska received an anonymous tip that other PHI data from other jurisdictions, including Montana, Wisconsin, and more from Arizona, were shared online by TechCare. The redacted screenshots from these findings can be accessed here.
On October 2, 2024, the Anchorage Daily News received a statement from NaphCare that it had not released PHI data. NaphCare confirmed that the listed inmate names were real people, but the medical information was falsified.
"Everyone in Alaska, including incarcerated people, is entitled to the privacy of personal health information. NaphCare's assertion that it hasn't published any true information - but has instead published false health care information about real Alaskans - is extremely troubling and should be of great concern," said Meghan Barker, Communications and Engagement Director for the ACLU of Alaska. "We hope NaphCare is notifying the Alaskans who it made allegedly fictitious medical statements about publicly available."
The ACLU of Alaska’s Prison Project recently uncovered violations of the federal Health Insurance Portability and Accountability Act (HIPAA) by the Alaska Department of Corrections (DOC) through the electronic health record (EHR) system that DOC utilizes at facilities across the state.
The EHR system, TechCare, is a proprietary software of NaphCare. It has showcased the protected health information (PHI) of at least 74 incarcerated Alaskans on its training website since at least November 30, 2023. The posted PHI includes diagnoses, including for mental health conditions; prescription medications and their dosages; and whether and when a patient began substance use treatment, among other information.
“DOC is Alaska’s largest provider of mental health and substance use services in the state and must manage the incredibly sensitive information of Alaskans,” said Megan Edge, Director of the Alaska Prison Project. "DOC is responsible for protecting and ensuring their right to privacy. This disturbing discovery demonstrates that it has failed. DOC must remedy the breach immediately, as is their duty.”
The ACLU of Alaska sent a demand letter to DOC Commissioner Jen Winkelman and the Chief Legal Officer for NaphCare Justin Barkley demanding that the site be taken down or made private immediately. The ACLU of Alaska has also filed an official complaint with the Secretary of U.S. Department of Health and Human Services because of the gravity of the breach.
“The tragic irony of this breach is that the Department of Correction hides behind HIPAA as its reason for not releasing information about deaths that occur in its custody. This breach shared Mark Cook’s private information, but when he died at Lemon Creek Correctional Center in 2023, DOC officials cited HIPAA while declining to answer questions about Cook’s care and treatment prior to his death. DOC doesn’t get to cherry-pick when HIPAA applies,” said Edge.
HIPAA requires DOC and Naphcare to notify every patient whose information has been disclosed or was threatened as a result of the breach within 60 days.
