The Doctor’s Advocate | Third Quarter 2017
The Search for Mary Smith
Following an augmentation mammoplasty, the patient, “Mary Smith,” signed an authorization granting her physician permission to use her “before and after” photographs, with assurances that her identity would not be revealed.
The physician contracted with a medical website development company, which created a website with a photo gallery for “before and after” pictures. The company provided a program that allowed the physician to rename and upload photograph files from his personal computer to his photo gallery. The photo gallery program automatically “scrubbed” all patient identification from the file’s metadata to prevent any breach of identity.
The company also designed a blog as part of the website to increase the number of “hits” and installed a different program that allowed the physician to select and upload photographs from his personal computer to the blog. This program also allowed the physician to change the photograph’s file name to conceal the patient’s identity. However, the blog program did not automatically “scrub” the patient’s identification from the metadata, which also contained the patient’s name. The patient’s identity breach occurred when the physician uploaded the patient’s photographs to the blog.
Although the patient’s name was not displayed when the photographs were viewed on the blog, the metadata still contained the patient’s identification, which meant that an online search for “Mary Smith” would return links to the photos.
To prevent this identity breach, the physician would have had to manually remove the patient’s name from the metadata on his personal computer prior to uploading the photos to the blog. Unfortunately, the website development company did not inform the physician about the need to change the metadata manually, and it wasn’t mentioned in the instructions provided with the software program.
Internet search engines create and rank search results by scanning (or “crawling”) websites using software called an Internet Bot (a.k.a. web robot) that sends “crawlers” over the Internet to identify new and updated pages to add to their search indexes. When it detects new links on a site, it adds them to its list of pages to crawl. In this case, the search engine identified the source codes in the metadata on the blog, which contained the patient’s name, and added them to the search index with a link to the photographs. When “Mary Smith” was entered into the Internet search engine, her name appeared in the search results. When selected, the link opened to the photographs—even though her name was not visible.
This problem continued for a short time after the photographs were removed from the website because images remain in a search index until the website is rescanned (or “recrawled”) and it recognizes that images have been removed. This may take weeks.
The physician had also placed the photographs on other websites, but no identity breaches occurred because the software on the other sites had automatically scrubbed the patient’s name from the metadata. The patient filed a claim alleging that she had suffered shame, humiliation, embarrassment, anxiety, and loss of sleep.
This case occurred several years ago, and, considering the logarithmic rate of change in the information technology world, the programming and Internet events leading to this event may or may not continue to be a risk. That said, this case illustrates the dangers of unintended consequences when adopting new or unfamiliar technologies (the electronic health record is an example).
Although the risk of this particular event may now be reduced because of improvements, it is always important to research healthcare-related technologies thoroughly before implementing them.
If denying access to your website by Internet search engines or web crawlers is an important risk management consideration in your practice, you should research the best ways to block them from your site; e.g., can Internet crawlers access encrypted and password-protected websites?