Server Misconfiguration Leads to the Leakage of 42,000 Patients’ PHI

Thousands of sick persons of a NY medical practice had their PHI leaked online because of a misconfigured computer network. It’s presently unclear if anybody except the safety investigator who found that someone has retrieved the files.

The computer network misconfiguration was known on January 25, 2018, by a director of cyber danger investigation at Upguard, Chris Vickery. In a March 26 weblog, Vickery described that he found an exposed port usually utilized for distant synchronization (rsync).

Although access must have been restricted to particular whitelisted IP addresses, the port was misconfigured as well as permitted anybody to retrieve the data. All that was needed to retrieve the computer network was its IP address.

Vickery found 2 pieces in the source, one of which – called backupwscohen – was freely available as well as had many files which contained extremely confidential info. A computer-generated hard drive was also open that was found to have workforce particulars, including partner information, kids’ names, as well as in some instances, Social Security numbers. An Outlook past file was also abandoned unsaved. The file had a big quantity of electronic mail telecommunications.

Vickery also discovered a database with over 42,000 patients’ names, ethnicities, email addresses, Social Security numbers, addresses, phone numbers, health insurance information, dates of birth, as well as medical notes. The medical notes contained over three million remarks.

Vickery trailed the data to the Huntington, Bergman, Klepper & Romano MDs personal computer. Beginning on 12th February, Vickery rendered many efforts to get in touch with the physicians to notify them concerning the issue. Direct communication was tried to help with finding the doctors.

It took until March 19 for a communication to reach the doctors and measure to be taken to safeguard the unsecured computer network. The PHI of all sick persons has now been protected.