- Kromtech Security researchers found a potential publicly accessible Amazon S3 repository that may have led to a health data breach impacting over 150,000 individuals, according to a company report.
“Patient Home Monitoring” is the company reportedly connected to the database, which contained 316,363 PDF reports in the form of weekly blood test results.
Weekly blood test results, including patient first and last names, addresses, phone numbers, and test results were included. Doctor’s names, case management notes, and additional client information were also in the database, according to Kromtech Security researchers.
Kromtech said it first identified the issue on September 29, 2017, and that a notification email was reportedly sent on October 5. The bucket was secured from public access on October 6, but researchers added that no one responded to them with “any statement or response.”
The “Patient Home Monitoring” company “provides a in-home testing program that is aimed at improving clinical patient outcomes,” Kromtech reported. This is meant to prevent patients from having to conduct weekly office visits.
The Amazon repository was misconfigured to be publically available, leading any individual with internet access the ability to access private medical records, stated Kromtech VP of Strategic Alliances Alex Kernishniuk.
“Basic security measures” would have prevented the data breach, Kernishniuk added.
LA hospital reports unauthorized employee access
Unauthorized employee access may have allowed the PHI of 1,140 patients to have been viewed, according to an Our Lady of the Angels Hospital statement.
The Louisiana-based hospital said the individual’s employment was terminated upon discovery that the patient records were viewed without authorization.
The individual accessed the data from March 17, 2014 to July 25, 2017. Information included names, addresses, insurance information, phone numbers, Social Security numbers, dates of birth, gender, diagnoses, dates of services, places of services and certain clinical information such as orders, medications, test results and clinical abstracts.
“Patient privacy is a top priority and we have a zero tolerance policy for employees who improperly access patient data,” Our Lady of the Angels Hospital President and CEO Rene Ragas said in a statement. “We deeply regret that this happened and we are committed to doing the right thing.”
There is no evidence that any patient data was utilized or misused, Ragas added. However, potentially impacted patients are being notified of the incident and will be offered 12 months of complimentary credit monitoring services.
“To help prevent any incidents like this from occurring in the future, the hospital is reviewing its policies, revising its audit processes, and providing additional education to all employees regarding the privacy and security of confidential patient information,” the hospital FAQ explained.
Inadvertent data submission impacts Missouri facility
The MS Center of Saint Louis and Mercy Clinic Neurology Town and Country announced that some medication onboarding forms may have been submitted to pharmaceutical companies without patient signatures.
The pharmaceutical companies and other related parties consequently may have contacted patients for marketing and research without the patients’ permission.
The OCR data breach reporting tool states that 1,081 individuals may have been affected.
Information included patient names, patient contact information such as addresses, phone numbers and email addresses, patient health insurance information (including Social Security numbers in some cases), and patient treatment and prescription information.
“We take the privacy of our patient information very seriously and are very sorry this occurred,” Mercy Chief Compliance Officer Tony Krawat said in a statement. “We have changed our procedures and taken action to do our best to prevent anything similar from happening in the future.”
There is no indication that the information was used for any purpose other than for marketing, the organization added. However, affected patients are being offered 12 months of complimentary credit monitoring services.
Texas provider affected by previous CoPilot data breach
Texas-based Kraig R. Pepper, DO, PA, (Dr. Pepper) reported that his practice was affected by the previously announced CoPilot data breach.
CoPilot Provider Support Services, Inc. stated in January 2017 that it discovered unauthorized access on one of its databases, potentially affecting 220,000 individuals. CoPilot first learned of the incident in December 2015.
Dr. Pepper said he learned on July 31, 2017 that patients affected by the CoPilot incident had received treatment using the injectable drugs ORTHOVISC or MONOVISC that had been purchased from DePuy Mitek, Inc. (DePuy).
Dr. Pepper had 653 patients who received an injection of those two drugs, he explained. Only private information provided by Dr. Pepper to DePuy was affected, according to the statement.
The demographic information involved included names, addresses, Social Security numbers, dates of birth, states, zip codes, telephone numbers, and genders. Medical insurance information impacted included primary insurance, phone numbers, ID numbers, and Group numbers. Pharmacy insurance information involved included carriers, Rx Bin, secondary insurance, ID numbers, and group numbers.
Furthermore, provider information, licenses, DEA, NPI, Tax ID, PTAN, provider address, phone number, fax number, clinical information, prescription information with the provider’s signature may have also been impacted.
However, medical records, labs, and X-rays were not affected, according to Dr. Pepper.
Patients who were impacted were also offered identity theft protection services.