10-Month Exposure of PHI at 8,300 Cerebral Palsy Research Foundation of Kansas Patients Disclosed

May 14, 2018


A mistake has caused a database used by Cerebral Palsy Research Foundation of Kansas (CPRF) to have its protection switched off for 10 months, making the protected health information (PHI) of 8,300 patients available.

The demographic database that was impacted was found on March 10, 2018 and was swiftly safeguarded. The audit into the breach found that although the database had been set up on a safe subdomain in early 2000, when CPRF switched its computer networks in 2017 the database was not seen resulting in the unintentional removal of safety measures. During the period of time that the database was unprotected it is possible that private and health information was retrieved by illegal people.

The violation was limited to private data and personal health information pertaining to the kind of disability experienced by those receiving cure. No donor information or financial data was retrieved. People affected by the breach had attended CPRF between 2001 and 2010.

It is not known whether any of the unprotected information was obtained by illegal parties during the period that the database was accessible. As a preventative step, CPRF is providing all impacted people 12 months of credit checking and identity theft protection facilities for free.

As part of its audit and susceptibility remediation efforts, CPRF carried out a complete analysis of all domains, subdomains, and databases and found no more vulnerabilities existed. Data safety plans have now been increased as having policies and procedures connected to staff transitions to stop more errors which might possibly result in the disclosure of PHI. CPRF has also appointed a third-party to carry out normal weakness scans and penetration assessments.

All affected people have been warned of the secrecy breach by mail and a breach report has been recorded to the Division of Health and Human Services’ Office for Civil Rights (OCR).