Therein lies the problem with the Internet. One mis-click, one forgetful staffer, or one failed redundancy check, and the confidential identify behind your “before and after” plastic surgery shots will have your name, your cosmetic surgery procedure, and revealing photos for anyone who Googles you.
According to the Post-Dispatch, at least one St. Louis plastic surgeon — and possibly many more across the country — have been posting images of women, before and after cosmetic surgery, with the patients’ identities still attached to the photos.
Dr. Michele Koo’s photo gallery (warning: NSFW) was the first to be discovered. Ten women are suing her after their images weren’t stripped of their names. A Google search of each patient’s name would bring her topless photos up instantly. Though the patients agreed to have their photos used for promotional purposes, their identities and faces were supposed to be removed.
The problem seems to be with how the files were named at the doctor’s offices. If the computer files were named with the patient’s name, instead of a patient number, and then uploaded onto the website, the person’s identity was stored in the file and Google automatically located it.
The company behind the sites, MedNet Technologies, is pointing the finger at the doctors. MedNet provides the software and servers for the doctors’ sites. The doctors provide the content.
Under the Communications Decency Act, neutral publishers of third party content shouldn’t be liable for damage caused by the content. However, if they serve a significant editorial role, or take a strong hand in the shaping of the content, they could be liable.
From what it sounds like, MedNet is merely a blogging and hosting platform. It provides the software and site layouts. The doctor’s office provides the content. If that’s the case, MedNet should be safe.
On the other hand, the doctor looks like she’s in trouble. The Health Insurance Portability and Accountability Act of 1996 prohibits the release of confidential patient information and medical records, inadvertent or not. Though the patients’ waivers would ordinarily protect the doctor’s office, the consent did not extend to the patients’ names.
The Post-Dispatch cites at least one case cases where a plastic surgeon’s violation of a patient’s privacy led to a $100,000 verdict. Though that case was overturned and is set for a retrial, it does give at least some indication of the type of exposure Dr. Koo is facing.
This could also turn widespread litigation across the country, as MedNet hosts around 25,000 sites. The Post-Dispatch identified a few other MedNet sites, as well another site hosted by MedNet’s competitor, Einstein Medical, that had the same privacy problems. As of now, all of the identified sites have had the problems fixed. One wonders, however, how many more remain.
- Consult a Chicago Personal Injury Attorney (FindLaw)
- Summary of the HIPAA Privacy Rule (HHS.gov)
- Immunity for Online Publishers Under the Communications Decency Act (Citizen Media Law Project)
- Breaches of Doctor-Patient Confidentiality (FindLaw’s Learn About the Law)