On March 1st I discovered a non-password protected database that contained what appeared to be medical case files. I immediately notified the organization that we suspected was responsible based on information found inside the database. It was a Friday evening and the phone went straight to voice mail, leaving the database wide open and publicly accessible until Monday, March 4th when a followup determined that access had finally been restricted. It is unclear how long this data may have been exposed or who else may have had access to these highly sensitive medical records.
This discovery contained the records of an estimated 37,000 people who’s data has been potentially compromised in an alleged data breach involving New Jersey based Home Health Radiology Services LLC. These records contained names, date of birth, phone numbers, addresses, diagnoses, notes, and we even saw Social Security Numbers (SSN).
HIPAA is the acronym for the Health Insurance Portability and Accountability Act that requires health care providers and organizations, as well as their business associates, to ensure the confidentiality and security of protected health information (PHI). The Security Rule applies to protected patient health information in electronic formats. Any Patient information that is transmitted or stored by electronic media or maintained on electronic media must be encrypted and unfortunately in this case it was in plain text. When it comes to HIPAA compliance organizations must include prevention, detection and response with their data protection practices.
According to their website “Home Health Radiology Services (HHRS) is working in more homes than any other radiology company in the State of New Jersey. We also work in Assisted Livings, Daycares and most other facilities”.
Here is what we have discovered that included the following:
It is unclear if this incident was reported to the authorities as required by HIPPA and New Jersey breach and notification laws. Despite several attempts and a request for comment regarding this data incident, Home Health Radiology Services LLC has not responded or commented at the time of this publication.
Stay ahead of cyber threats with Security Discovery. We offer expert consulting, comprehensive services, and a powerful vulnerability monitoring SaaS platform. Protect your business proactively - get in touch today for personalized digital security solutions.