An adoption agency in Texas exposed their client database on the open web, making more than one million records public. The records included personally identifiable information about staff, children, and parents. These records revealed first and last names, physical addresses, email addresses, notes explaining the reasons for denial or acceptance of applications, and partial email correspondence. Leaving this adoption data vulnerable to criminals who might use the data for phishing or other types of adoption scams was clearly a violation of privacy and a threat to the people included in the database.
Aren’t there laws about making adoption data vulnerable?
Adoption agencies aren’t automatically covered by HIPAA as schools and hospitals are. HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a law requiring that medical records be kept private. Adoption agencies must follow HIPAA guidelines for the medical information they have — and their files will generally include some medical information — but other types of information are not covered.
In the case of the Texas adoption agency, for example, there were notes saying that individuals had been turned down because of mental health or substance abuse issues. This is likely to be considered medical information. If it was connected with personally identifying information such as a name or phone number, then making it public would break the law.
But even for information that isn’t considered medical data, there is an assumption of privacy. In Arkansas, for example, birth parents can keep their names a secret and adoption files are closed, not public information. The Texas case included not only the names of adopted children and their birth parents, but also the numbers of court records and other information that is not normally available to the public. Even if the adoption agency couldn’t be prosecuted under Texas law, they certainly could be sued.
How did this happen?
In the Texas case, it appears that the agency’s database was transferred to a new service and was not correctly secured for several days during the transition. Technical errors like this are a very common cause of data vulnerability. However, the most common reason that people get access to information that should not be public is carelessness.
People leave sensitive data on the computer screen when they take a coffee break. They leave files out on a desk during meetings. They write their password to the database on a Post-It note and stick it on the frame of their computer monitor. This kind of relaxed behavior with private information takes place in offices every day.
What should you do to protect your data?
Ask your adoption professionals how they secure your information. You’ll want to hear that they limit access to the files and that computer records are password protected. Individual staff members should have individual passwords, not one shared code. This allows tracking of any questionable access.
You should be pleased to hear that the agency or office uses HIPAA-certified software, but remember that many adoption professionals are not covered by this law except in some specific cases. All staff members should respect your privacy, however, and should not send sensitive information in emails or texts.
And of course you should be cautious, too. If a stranger calls and gains your trust with information they have about you and your adoption journey, you should not relax and give them more information. Instead, ask for their name and number, and check with your adoption professionals to make sure they should be contacting you with questions.