More than just health concern at coronavirus test sites: Are you exposing your personal information to security risks?
When Elizabeth Spinelli arrived at Fort Lauderdale's Holiday Park for a coronavirus test, a nurse handed her a form to write her name, address, date of birth and social security number. She hesitated to give her personal information but wanted the test.
About a month later, Spinelli repeatedly tried to get her results and learned from a Sun Sentinel article they were in the hands of a Hallandale Beach doctor with a troubled past. She panicked.
"I never give out my social security number, it's something I don't give out, but the cops were there, people in lab coats, the National Guard ... I felt comforted," she said. "Now, how do I know my information isn't floating around out there?"
In Florida, more than 1.3 million people have gone to test sites in parking lots, public parks and community centers to get swabbed for COVID-19. Like Spinelli, they wanted to know if they were infected with the virus and gave their social security numbers, date of birth—and sometimes even their insurance information—along with their nasal fluid blood or saliva.
As people get tested, they fill out forms thinking their information will be used only to find out if they have the infectious virus. But, like any time someone shares personal information—and in this case a DNA swab—there is a risk of identity theft, insurance fraud and the sample being sold or used for research or other purposes without you knowing it.
While the doctor and contractors at the Holiday Park test site say they follow the regulations to protect information, medical experts say the concern is warranted. At the start of the pandemic, a trade-off between data security and public health emerged, and experts say Florida's rapid testing expansion only exacerbated the privacy risks.
"Pop up community-based testing sites are playing an important role but there are a lot of parties touching people's information," said Michael Gusmano, a research scholar with The Hastings Center and associate professor of health policy at Rutgers University School of Public Health.
In Florida, close to 1,000 private labs process COVID-19 tests and dozens of entities are contracted to collect swabs and deliver test results. Some have no previous healthcare experience.
Getting swabbed at a drive-thru test opens the door to at least a half-dozen interactions with your data: an appointment taker records your personal information, an onsite assistant provides and collects paperwork, another person packs your swab and paperwork and ships it to the lab, a lab worker enters your information from the form into a computer, another lab worker enters your results into a portal and may provide them to a call center as well as to state and local health officials and the Centers for Disease Control.
Gov. Ron DeSantis says testing is critical to fully re-open Florida and he plans to keep expanding with more sites to reach more of the 21 million people who live on the peninsula. But when Floridians arrive at the 100-plus drive-thrus, walk-ups and pop-up sites to be tested, their experiences differ.
Some test sites are run by hospitals such as Memorial Healthcare System, others by private companies such as American Medical Response or physician groups such as Orlando's Premier Medical Associates. How an organization operates testing, how they populate medical forms, and which lab they use to process results, differ from site to site.
"People might get asked for different personal or medical information depending on which site they visit," Gusmaro said. "When comparing, you might say, I didn't get asked for that and immediately the other person is going to be suspicious."
Spinelli said she was asked for her social security number at the Holiday Park test site. At the Youth Fairgrounds at Florida International University, Eneida Roldan said anyone who wants to be tested is asked only for their name, date of birth and for a driver's license as proof of identity.
"We need identification to say this is your test," said Dr. Eneida Roldan, chief executive officer, FIU Health Care Network, and clinical director for the test site. "I believe what we get is enough to reduce the medical error aspects in providing someone with their correct results."
Standardizing how information is collected, reported and analyzed needs to happen to raise public comfort levels, Gusmaro said. "The last thing we want to do is discourage people from getting tested, which is going to be one of the main tools for controlling this virus," he said.
Cracks in coronavirus testing already have raised concerns: At 12 sites from Tallahassee to Miami, a doctor put on probation for treating people improperly for HIV was put in charge of delivering test results to as many as 100,000 people after a Miami company subcontracted with him for the job. State officials removed the doctor two weeks ago when they learned about his past but made clear that with rapid expansion there was no set vetting process in place for who would be managing COVID-19 tests.
The Miami company that hired the doctor now uses a call center to deliver results.
But whether an individual, a call center, or a lab delivers test results, some medical experts say the emergency nature of the coronavirus response has shifted responsibility for data protection to people who may not be educated on safeguards.
Cynthia Barnett Hibnick, a South Florida healthcare attorney, said that any time people give out private information, they are putting themselves at risk, but the vast volume and speed at which COVID-19 testing is moving increases that risk.
"You're talking about people being concerned that their information, their protected health information, is changing hands very rapidly," Hibnick said. "And I think they should be concerned."
Hibnick added concerns about that protected information is being transmitted electronically, sometimes on unencrypted devices, increasing the risk of a potential a data breach.
Last month, a Florida Department of Economic Opportunity data breach exposed about 98 people's personal information who were applying for unemployment.
Even the lab that reports the most coronavirus results in Florida has had data breaches. Only a year ago, Quest Diagnostics, which has reported more than 260,000 tests in Florida, suffered a data breach when a hacker gained access through one of its vendors to personal information for 12 million customers including credit card numbers, bank account details, medical data, and Social Security numbers.
"This turns into a bit of a trust game," said Dr. Bradley Malin, vice chair for research and professor of biomedical informatics at Vanderbilt University, whose work focuses on data privacy research and development for the health information technology sector.
Under normal circumstances, the federal privacy law known as HIPPA requires medical providers and insurers to protect someone's personal health information and requires a patient's consent to disclose it. In the public health emergency, the federal agency that enforces HIPPA announced it would not penalize any party that made a good-faith effort to comply with the privacy law in the operation of COVID-19 testing sites.
The enforcement relaxation is designed to allow information sharing with government entities.
When asked about what practices were in place to protect people's information, Florida Division of Emergency Management spokesman Jason Mahon said he's not aware of any HIPPA violations in the state's COVID-19 response.
Malin said the health information that has been shared has occurred under the context of public health and surveillance to better understand and track the disease. Data and specimen shared is supposed to be unidentifiable, but collection and analysis gets tricky with researchers, health officials and contact tracers involved, he said.
His biggest concern, though, is the uncertainty of who has access: "You really don't know where the information is going to go, You are not always going to be entitled to an accounting of it. What are the retention requirements? What can people do with that data afterward?"
Because the U.S. needs to move fast, a trade-off is inevitable. "Is it more important to scale up and get testing completed or is it imperative to ensure perfect security. We may not able to satisfy both simultaneously," he said.
- - -
HOW TO KEEP YOUR IDENTITY SAFE
Avoid giving your insurance information or social security number at a test site.
Ask questions such as "What happens if I don't provide the information?" or "Where is this information going?"
Carefully monitor your bank statements in the weeks after testing.
Read all mail from banks or financial institutions carefully, looking for newly opened accounts. Don't call the phone number provided in a letter. Call the financial institution directly.
Review your health plan explanation of benefits and follow up on anything that looks unusual. "When in doubt, call your insurance and say I don't' recognize the name of this provider. Can you give me more information?"
Request a credit freeze from the three bureaus if you suspect the potential for fraud, .
Place the freeze online or through an automated phone service. Customer service representatives are trained salespeople who will want to sell you credit monitoring.
Source: Carrie Kerskie, a Naples consultant on identity theft, fraud and data privacy
©2020 Sun Sentinel (Fort Lauderdale, Fla.)
Distributed by Tribune Content Agency, LLC.