On Jan. 12, 2018 at 9:53 a.m., an email sent out by Disability Services Director, Pamela Rohland, violated the confidentiality of all of the students included in the service.
Instead of using the bcc option, which keeps all recipients anonymous, Rohland mistakenly used the cc option which allowed everyone who was sent the email to see who it was sent to, and therefore see which students are receiving help by disability services.
An email following this confidentiality breach was sent out the next afternoon. The email addressed the issue and told the students to “delete” the previous email, and “treat it with confidentiality.”
This is not the first time a confidentiality incident occurred within Disability Services. According to a statement from Disability Services, 35 students in the College of Business Administration had their confidentiality violated in February as well.
“In February, an internship flier was emailed to 35 College of Business Administration students with disabilities, but a list of those 35 students’ email addresses, ID numbers, phone numbers, addresses and counselors assigned, was mistakenly attached to the email.”
The policy on confidentiality put out by Disability Services labels these two instances as clear violations of the student’s privacy. “No private information about our students is communicated without express written permission of the student,” states the policy. “This includes parents and family members and parties outside of the University.”
According to HIPAA laws, the information sent out on both occasions is classified as Protected Health Information. To avoid violating student’s confidentiality, staff and faculty must not disclose this specific information to anyone other than the student unless given consent, and if so, it is a violation of federal and state laws.
“Remove all 18 Personal Identifiers to avoid being subject to HIPAA… : Names, Addresses, Zip Code, Dates, Visuals, Phone numbers, fax numbers, email addresses, Web URLs, IP address numbers, Any other unique identifying number, characteristics, or code.”
Rohland commented on this incident.
“The office of Disability Services deeply regrets the errors made and has improved procedures to better ensure the confidentiality of our students,” said Rohland. “All the impacted students have been notified about the distributions, and we will follow up with them to let them know how we have addressed the issue.”
According to a student on disability services, who asked to be anonymous to protect their medical privacy, not much has been done to fix this situation other than the apology email sent out on Jan. 13, 2018.
“Nothing, really, has been done to rectify her position… no discipline action has been taken, nothing,” the student said. “The only thing they have done is create a back-stopping system so that before you send an email through disability services, a pop-up comes up and says ‘Are you sure you want to send this email?’”
In regards to this violation, the student voiced concerns about students knowing who is on disability services, as well as also having their contact information.
“It is insane, the amount of information that can be received about a person with just a last name,” they said. “So, the fact that that was sent out to 197 people… if any one person had malintent all 196 other people could be screwed.”
The student voiced concerns about legal issues that came with this confidentiality violation.
“She broke confidentiality laws,” the student said. “That’s 197 people as a class-action lawsuit, had any number of us wanted to bring that forward.”
The student and other students do not feel as though any of their personal information is safe with disability services, and with URI as a whole.
“There have been other incidents where URI has been hacked. How is it that every couple of weeks we get an email that says that there has been a scam going around?” the student said. “And how does a student office… whose sole responsibility is to make sure that we are all safe and protected… how can they then be that huge breach of confidentiality.”
For some students, being helped by disability services is a private matter, and many feel as though that privacy is gone as others now know due to being part of the email list.
“It’s really private for some people… If you are working with disability services, where you deal with people with mental health issues… medical issues, learning disabilities, cultural stuff, you have to be aware and competent in all of those areas,” the student said. “And, if you are not in one area, you should not be in that position.”