Twelve patients sued a St. Louis, Missouri, plastic surgeon after discovering their pre- and post-surgery breasts were displayed, complete with their identities, on their physician’s website.
While the patients had provided written authorization for their images to be displayed, their identities were to to be protected, according to a St. Louis Post-Dispatch report.
The problem occured when the images were uploaded to the website. Dr. Michele Koo, allegedly, failed to rename the files or edit the image description text, which immediately became searchable from anywhere in the world.
Creating content on most medical practice websites is as easy as creating a Facebook post. Dr. Koo said she believed her patients were protected because her website was managed by Mednet, a company that specializes in medical websites. But as soon as the lawsuit was filed, that company distanced itself from their client.
In their 2011 lawsuits, patients claimed Dr. Koo was negligent in her use of their protected health information.
According to The Post-Dispatch story, Mednet blamed Koo for the privacy breach. “(Mednet) did not post, control, or influence the content.” The company also claimed legal immunity as a website host under the Communications Decency Act. One thing is clear, neither understood HIPAA.
A visit to Dr. Koo’s website still reveals before and after images, but the image file names appear to have been edited to protect patient identities.