10-Month Disclosure of PHI at 8,300 Cerebral Palsy Research Foundation of Kansas Patients Exposed

May 14, 2018


A mistake has caused a database used by Cerebral Palsy Research Foundation of Kansas (CPRF) to have its safety device switched off for 10 months, making the protected health information (PHI) of 8,300 patients accessible.

The demographic database that was affected was found on March 10, 2018 and was swiftly protected. The audit into the breach found that although the database had been established on a safe subdomain in early 2000 when CPRF switched its servers in 2017 the database was not seen resulting in the unintentional removal of safety measures. During the period of time that the database was disclosed it is probable that private health information was retrieved by illegal people.

The violation was limited to private data and private health information pertaining to the kind of disability suffered by those receiving cure. No financial data or donor information was retrieved. People affected by the breach had attended CPRF between 2001 and 2010.

It is not known whether any of the disclosed information was obtained by illegal parties during the time that the database was available. As a safety measure, CPRF is providing all impacted people 12 months of credit checking and identity theft safety facilities for free.

As part of its audit and susceptibility remediation attempts, CPRF carried out a complete analysis of all domains, subdomains, and databases and found no additional flaws existed. Data safety policies have now been improved as having policies and procedures pertaining to staff transitions to prevent future errors which might possibly result in the disclosure of PHI. CPRF has also employed a third-party to carry out regular susceptibility scans and penetration reviews.

All affected people have been warned of the secrecy breach by post and a breach report has been filed with the Division of Health and Human Services’ Office for Civil Rights (OCR).