Mix-up breaches confidentiality of dozens in state AIDS program

Times Staff Writer

The state Department of Health Services inadvertently revealed the names and addresses of up to 53 Californians enrolled in an AIDS drug assistance program to other enrollees by putting benefit notification letters in the wrong envelopes, officials said Friday.

The letters went out Tuesday to recipients in 16 counties, including Los Angeles, Orange, Riverside and San Diego. The department learned about the mix-up after 12 people in the drug assistance program phoned to say they had received letters addressed to someone else, said health services Director Sandra Shewry.

“The department is committed to a no excuses, zero-tolerance policy regarding the release of sensitive, personal and confidential information,” Shewry said. “We take this seriously.”

The breach of confidentiality is particularly sensitive after the state Legislature’s decision last year to change from an HIV tracking system based on alphanumeric codes to one based on patient names. California had been slow to make the change because of fears that it would compromise patient privacy and deter testing.


Proponents defended the name system by arguing that AIDS, which can take a decade or more to develop after HIV infection, had long been tracked in a confidential database of names.

HIV/AIDS services and advocacy groups said this was the first known breach of that database.

“I would hope this is an anomaly,” said Jeff Bailey, director of client services for AIDS Project Los Angeles. “I would not want to give way to panic about this release. It did not go to random citizens of the state, where this information might be shared with someone outside the HIV and AIDS circle.”

Lori Yeghiayan, spokeswoman for AIDS Healthcare Foundation, called the breach an “unfortunate error,” but not a sign of a systemwide failure.

“From my understanding, it was an individual’s error and the individual has been removed,” she said.

Shewry said that it appeared that a newly hired clerk thought the letters were form letters and did not realize that each was personally addressed. The clerk put the 54 letters into envelopes and then affixed 54 preprinted mailing labels. The clerk has been reassigned pending completion of the investigation, Shewry said.

“We are investigating and interviewing all the employees who are involved in the chain of command,” she said. “This is not how we do business, and we don’t intend to have this be the way we do business.”

The letters went to clients enrolled in the California AIDS Drug Assistance Program who are eligible for the Medicare Part D Premium Payment Program. In addition to names and addresses, the letters included Medicare Part D plan names and premium payment amounts but no Social Security numbers, medical record numbers or other confidential information, Shewry said.

People who received misaddressed letters began contacting the department Wednesday, said Kevin Reilly, director of prevention services. The callers were mostly concerned about whether they had been approved for benefits, Reilly said.

At least one letter wound up in the right envelope; that person called with a separate question about benefits.

The department on Friday mailed certified letters to the 54 enrollees, explaining the mix-up and asking that anyone who received a wrongly addressed letter destroy it. It also notified the California Highway Patrol, as is required by a state law on security breaches.

The department is looking into ways to make the system more foolproof, such as using envelopes with window addresses, said Shewry.