On March 1st I discovered a non-password protected database that contained what appeared to be medical case files. I immediately notified the organization that we suspected was responsible based on information found inside the database. It was a Friday evening and the phone went straight to voice mail, leaving the database wide open and publicly accessible until Monday, March 4th when a followup determined that access had finally been restricted. It is unclear how long this data may have been exposed or who else may have had access to these highly sensitive medical records.
This discovery contained the records of an estimated 37,000 people who’s data has been potentially compromised in an alleged data breach involving New Jersey based Home Health Radiology Services LLC. These records contained names, date of birth, phone numbers, addresses, diagnoses, notes, and we even saw Social Security Numbers (SSN).
HIPAA is the acronym for the Health Insurance Portability and Accountability Act that requires health care providers and organizations, as well as their business associates, to ensure the confidentiality and security of protected health information (PHI). The Security Rule applies to protected patient health information in electronic formats. Any Patient information that is transmitted or stored by electronic media or maintained on electronic media must be encrypted and unfortunately in this case it was in plain text. When it comes to HIPAA compliance organizations must include prevention, detection and response with their data protection practices.
According to their website “Home Health Radiology Services (HHRS) is working in more homes than any other radiology company in the State of New Jersey. We also work in Assisted Livings, Daycares and most other facilities”.
Here is what we have discovered that included the following:
- 37,000 Case Files in plain text (some dating back to 2010).
- 1,540 Doctor’s Information records.
- 1,080 Records in a folder called “Remit”.
- This was an Elastic database set to open and visible in any browser and anyone with an internet connection could access these records.
- Names, phone, medical data, and other information about customers, doctors and internal users in plain text. Including internal user information.
- Chat logs, emails, support tickets and more.
- Some files contained SSN numbers.
It is unclear if this incident was reported to the authorities as required by HIPPA and New Jersey breach and notification laws. Despite several attempts and a request for comment regarding this data incident, Home Health Radiology Services LLC has not responded or commented at the time of this publication.