42,000 Patients’ PHI Violated because of Server Misconfiguration

March 31, 2018


A New York medical practice has disclosed that tens of thousands of their patients have had their PHI disclosed online because of a wrongly organized server. It is presently not clear if anybody other than the safety researcher who noticed the problem has retrieved the information.

The server misconfiguration was found on January 25, 2018 by Chris Vickery, director of cyber risk research located at Upguard. In a March 26 blog post, Vickery gave a rough idea that he found an exposed port usually used for remote synchronization (rsync).

Although access should have been limited to particular whitelisted IP addresses, the port was wrongly organized and let anybody to see the data. All that was needed to log onto the server was its IP address.

Vickery found two parts in the repository, one of which – branded backupwscohen – was openly accessible and included numerous files that contained extremely confidential data. A virtual hard drive was also accessible that was seen to have staff details, including partner details, kids’ names, and in some cases, Social Security numbers. An Outlook past file was also left unprotected. The file contained a huge number of electronic mail communications.

Vickery also found a database with over 42,000 patients’ details, electronic mail addresses, ethnicities, Social Security numbers, addresses, phone numbers, health insurance data, birth dates, and clinical remarks. The clinical notes included more than 3 million observations.

Vickery following the data track to the New York medical practice of Cohen, Huntington, Bergman, Klepper & Romano MDs PC. Starting on February 12, Vickery made many efforts to reach out to the physicians to alert them regarding the problem. Direct communication was tried and through a local hospice, with Databreaches.net communicated to help with finding the doctors.

The action was not taken until March 19 when a message reached the doctors and steps were taken to protect the leaking server. The PHI of all patients has now been protected.