In the age of electronic health records, it has become more and more important to safeguard data that could violate a patient’s privacy. Privacy and data security are especially important in the realm of clinical trials, where data has been collected about each patient enrolled in the trial. Patients and clinicians have an invested interest in protecting their protected health information (PHI).
PHI refers to any information in a medical record that could be used to identify an individual patient and is relevant to that patient’s diagnosis or course of treatment. This could include demographic information, test results, preexisting conditions, insurance information, or any other information a health care provider collects that is unique to that patient.1
This installment of Fire of the Week describes a situation involving PHI that arose recently at a medical journal, what happened, and how it informed that journal’s processes for the future. Given the sensitive nature of the information involved, and to ensure as much privacy as possible, this article is being published anonymously, using information as it was relayed to me. —Emilie Gunn
Describe the “Fire.” What Happened? Who Was Involved? How Did the Situation Arise?
I answered my phone early on a Monday morning to an author who was utterly distressed. We had published her article in one of our journals on Friday afternoon, and she realized with horror that her published article included a link to an Excel spreadsheet that contained PHI. Any editor reading this will probably recognize that sinking feeling I had as soon as I heard those words. I looked up the article on our journal website and confirmed that, indeed, the spreadsheet in question contained a tab that listed each patient enrolled in the trial by first and last name, date of birth, diagnosis, specific drugs and treatments administered, and all other points of information relevant to the trial question.
The author’s institution, including the department head and privacy office, was already aware of the breach. The authors had discovered the problem first thing on Monday morning when looking over their recently published article, and notified us as soon as they realized what had happened.
We discovered the problem had arisen with a data supplement. Like many journals, we publish data supplements that often include additional raw data pertaining to the trial. This may mean anonymized patient level data, gene sequences, or other information that does not need to be in the print version of the article, but may give a deeper understanding of the trial to readers, or aid in reproducibility. These data supplements are not copyedited, but are published in whatever form the authors supply them. Editorial staff checks them before sending them to production, but mostly just to ensure the files can be opened and viewed correctly. In this case, the authors had included an Excel spreadsheet with several tabs, one of which was not immediately visible upon opening the file. A reader would have to click the arrow at the bottom of the sheet to be taken back to the first tab to see the data stored there. It was that tab that included the PHI.
Where Did You Go and What Resources Did You Utilize to Arrive at a Solution?
We immediately contacted our digital team who quickly removed the link to the data supplement so that we could look into the situation and correct it. While the supplement was offline, we conferred with the authors and their privacy office, our digital and production teams, and our legal team to determine how this had happened and how we could get the supplement back online quickly without it containing the information in question. Beyond determining how this happened, we also wanted to figure out how many people had viewed the article, and most importantly, how many had opened the data supplement. The author’s institution also wanted to know how many staff members had viewed the spreadsheet during the course of the article submission and review process. Countless emails were traded over the course of several days to make sure that everyone had as much information about the situation as possible. This would ensure we could examine it from every angle, determine the extent of the damage, and correct it.
What Possibilities Did You Consider? Why Did You Decide Against Those?
There were not many options when it came to repairing the damage that had been done. It was clear that the data supplement needed to be removed from online, the file replaced, and the link to the corrected supplement reposted.
How Did You Resolve the Problem? What Was the Outcome?
The authors were quick to supply us with a new data supplement, which we reposted. Of course, the author checked—and we double checked—that the correct version was indeed posted. We considered posting a note with the article that the original supplement had been removed and replaced with the current, correct one, but decided against that in the end. The removal of the PHI from the supplement did not change the outcome of the study, and ultimately we did not feel that sharing that we had corrected the supplement would benefit readers.
While the resolution in this case was clear, what was less clear was where other copies of the spreadsheet were stored, how to find them, and how to contain their spread. We began asking ourselves whether we needed to contact any readers to ask them if they had downloaded the spreadsheet, and if so, to ask them to destroy any copies of it. The author’s institution also asked us to work with our submission system and website host to destroy any copies of the file that had been stored in those systems in the course of manuscript submission, review, and preparation for publication. It proved to be harder than expected to determine exactly how many people had viewed the spreadsheet, and where electronic copies of it might live.
From download data, we were able to determine that the only people to download the spreadsheet from the journal website were staff, and that it had been viewed only in the course of our regular work with the peer review process. We contacted the reviewers to ask if they had viewed it (no), and then contacted our submission system to remove the files (easier said that done, unfortunately). Eventually, all electronic copies that we had were destroyed, even those in the submission system.
Will You Change Any of Your Policies or Day-to-Day Procedures Based on This Occurrence?
Like many journals, we publish appendices, which are usually additional tables or information the authors chose not to include in the manuscript, and data supplements, which are generally much longer, and tend to be large tables, additional figures, or data sets. When a paper is being prepared for production, editorial staff views any files labeled “data supplement” to determine if that is the correct label. Beyond just briefly scanning the content, we did not do anything else to those files.
Since this experience, we have updated our acceptance procedures to include a check of the type of information in the data supplement files to ensure there is no PHI contained in them. Typically, we check for patient names, or anything else that might be a red flag. We use a checklist for accepted papers, and have added instruction that staff should contact their manager for guidance if they have any doubts about something they see. This doesn’t take much time, and is a bit of insurance against something like this happening again.
In a digital age, it is inevitable that more and more of our personal information will be stored online. Any publication would be wise to have a plan in place for what to do if they find that private information has been published. Knowing what to look for, and what to do, will ensure a quick and complete resolution to a situation that no author or journal wants to experience.
Emilie Gunn is Managing Editor, American Society of Clinical Oncology.
We want to hear about your experiences! What situations have you encountered on the job that were unique, or especially challenging in some way? Have you had to work through an unusually complicated author misconduct issue? Dealt with less than positive press about your publication? Your story may help others learn what to do when they come across something similar.
There is a template available online at www.csescienceeditor.org (click “For Authors”) that will help you get started.