Privacy concerns raised on Mass. medical marijuana e-mails

Patient advocates expressed dismay over the original e-mails, and data security specialists said they were surprised by the state’s handling of such sensitive information. Amid instances of identity theft and breaches of corporate computer systems, governments and private companies have moved to protect personal information in layers of encryption and other security measures.

Nichole Snow, deputy director of the Massachusetts Patient Advocacy Alliance, a group that supports access to medical marijuana, was among the patients who received an e-mail with the none-too-subtle subject line.

“I was shocked to see that,” Snow said.

She said some patients do not have access to computers in their homes, or through their cellphones, and log in to e-mails from public places, such as libraries, highlighting the need for discretion.

“This information should be treated . . . sensitively,” Snow said.

The health department’s e-mail slip-up is the latest misstep in the agency’s quest to roll out the medical marijuana program. Questions have plagued the department for the past year about the review of companies hoping to win dispensary licenses, hampering the opening of facilities.

David Szabo, a Boston lawyer with Locke Lord Edwards, who specializes in health care law, privacy, and data protection issues, said the health department’s original e-mail notification system appeared to violate a 2008 executive order by former governor Deval Patrick.

“They are supposed to protect the privacy of medical information,” Szabo said.

The order directed state agencies to comply with consumer protection rules that require anyone who owns or licenses personal information about Massachusetts residents to take steps to protect that information. Those measures include encryption of personal information stored on computers or e-mailed, and guidelines for limiting use of nonencrypted personal information in electronic messages.

A recipient of the marijuana program’s earlier e-mails — or anyone who happened to walk by the recipient’s computer screen — would know instantly the subject. Once opened, the e-mails revealed a patient’s full name, e-mail address, and state-assigned program ID number, much of what is needed to make it past the first security level in gaining access to the state’s database, which contains sensitive patient information.

The health department’s revised e-mails still show that they were sent from the “MedicalMarijuana” program, but that is in the process of being changed to a more generic account “to meet best practices,” according to a statement from the agency.

Tim Buckley, communications director for Governor Charlie Baker, said in an e-mailed statement that the administration “is reviewing the medical marijuana program from top to bottom, including concerns regarding patient privacy.”

He declined to comment further.

Before patients can get medical marijuana, they must receive a doctor’s approval. New state rules require patients and physicians to register with the health department’s computerized database.

At many of the state’s big teaching hospitals, doctors and patients have been sharing sensitive information online for more than a decade. Executives in charge of securing those systems say that even in the early days, administrators required nondescript subject lines on e-mails to protect patient information.

“I would assume there would be some patients signing up for the state’s program who would consider the information private,” and the blunt, but now-removed, medical marijuana subject line would have disregarded their privacy preferences, said Dr. John Halamka, chief information officer at Beth Israel Deaconess Medical Center, and a professor at Harvard Medical School.

When Beth Israel Deaconess launched its online communication system in 1999, subject lines to patients read “important information from your doctor,” Halamka said.

No personal patient information, passwords, or identification numbers are sent in hospital e-mails, he said. Instead, patients must click a link in the e-mail that connects them to a secure hospital website, accessed with a password, so that even if the patient’s computer is lost or stolen, there is no record of the communication on that device, Halamka said.

To further tighten security a few years ago, Beth Israel Deaconess added a device that scours all outgoing e-mail from the hospital, and if it senses any hint of patient information, including a patient’s name or identification number, it will block the communication and alert the patient in a generic e-mail that a “secure message” awaits. The e-mail contains a link to the hospital’s encrypted database, which the patient can access only with a password.

At Partners HealthCare, which includes Massachusetts General Hospital and Brigham and Women’s Hospital, physicians use a system that sends the generic subject line “new patient gateway message” in e-mails to patients, according to Cynthia Bero, director of Partners’ information systems.

E-mails from Partners do not include personal information or ID numbers, but instead direct patients to the hospital’s password-protected website to retrieve their physician’s communication, Bero said.

Patients receive their password for the system at their physician’s office, or can apply for a password on the hospital’s encrypted website, which uses a system similar to one employed by banks and other financial institutions.

“Most providers are very much aware of how important and sensitive health care information is,” Bero said, “and they go to great lengths to protect it.”

Kay Lazar can be reached at Kay.Lazar@globe.com Follow her on Twitter @GlobeKayLazar.