Disclosure of individually identifiable information can occur deliberately or accidentally and can occur within an organization or be the result of an external breach of security. Examples include:

• A Michigan-based health system accidentally posted the medical records of thousands of patients on the Internet (Ann Arbor News, February 10, 1999)
• A Utah-based pharmaceutical benefits management firm used patient data to solicit business for its owner, a drug store (Kiplingers, February 2000)
• An employee of the Tampa, Florida, health department took a computer disk containing the names of 4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, October 10, 1996)
• The health insurance claims forms of thousands of patients blew out of a truck on its way to a recycling center in East Hartford, Connecticut (Hartford Courant, May 14, 1999)
• A patient in a Boston-area hospital discovered that her medical record had been read by more than 200 of the hospital's employees (Boston Globe, August 1, 2000)
• A Nevada woman who purchased a used computer discovered that the computer still contained the prescription records of the customers of the pharmacy that had previously owned the computer. The pharmacy data base included names, addresses, social security numbers, and a list of all the medicines the customers had purchased. (New York Times, April 4, 1997 and April 12, 1997)
• A speculator bid $4,000 for the patient records of a family practice in South Carolina. Among the businessman's uses of the purchased records was selling them back to the former patients. (New York Times, August 14, 1991)
• In 1993, the Boston Globe reported that Johnson and Johnson marketed a list of 5 million names and addresses of elderly incontinent women. (ACLU Legislative Update, April 1998)
• A few weeks after an Orlando woman had her doctor perform some routine tests, she received a letter from a drug company promoting a treatment for her high cholesterol. (Orlando Sentinel, November 30, 1997)

No matter how or why a disclosure of personal information is made, the harm to the individual is the same. In the face of industry evolution, the potential benefits of our changing health care system, and the real risks and occurrences of harm, protection of privacy must be built into the routine operations of our health care system.

A breach of a person's health privacy can have significant implications well beyond the physical health of that person, including the loss of a job, alienation of family and friends, the loss of health insurance, and public humiliation. For example:

• A banker who also sat on a county health board gained access to patients' records and identified several people with cancer and called in their mortgages. (National Law Journal, May 30, 1994)
• A physician was diagnosed with AIDS at the hospital in which he practiced medicine. His surgical privileges were suspended. (Estate of Behringer v. Medical Center at Princeton, 249 N.J. Super. 597)
• A candidate for Congress nearly saw her campaign derailed when newspapers published the fact that she had sought psychiatric treatment after a suicide attempt. (New York Times, October 10, 1992, Section 1, page 25)
• A 30-year FBI veteran was put on administrative leave when, without his permission, his pharmacy released information about his treatment for depression. (Los Angeles Times, September 1, 1998)
• Consumer Reports found that 40 percent of insurers disclose personal health information to lenders, employers, or marketers without customer permission. ("Who's reading your Medical Records," Consumer Reports, October 1994, at 628, paraphrasing Sweeny, Latanya, "Weaving Technology and Policy Together to Maintain Confidentiality," The Journal Of Law Medicine and Ethics (Summer & Fall 1997) Vol. 25, Numbers 2,3.)