Patient Health Records Exposed
The fun never ends in the cybersecurity world. Researchers at Kromtech Security Researchers recently disclosed the existence of yet another insecure AWS server. This time, the server stored the most sensitive of all data – patient health records.
What’s Happened
On Sept. 29th, Kromtech discovered a new insecure server, owned by Patient Home Monitoring Corp. (PHMC). PHMC accidentally changed configuration settings to make the server “Public” instead of “Private”, the default setting. The result? Public exposure of 316,363 separate PDFs (41.5 GB) containing extremely sensitive patient records. Files have included doctors’ notes, lab results, names, and personal contact info. Since PHMC provides at-home blood tests, almost all the data the PHMC has on someone got exposed in this breach. All told, the researchers believe that these PDFs expose the health data of up to 150,000 Americans. Kromtech notified PHMC of what they found on Oct 5th, and the company fixed the issue the next day.
This breach is especially interesting due to HIPAA regulations. According to Fierce Healthcare, HIPAA regulations require notification of affected parties within 60 days of a data breach. If the breach impacts over 500 people, the company must also notify the US Department of Health and Human Services. The company’s own privacy policy states that patients “have a right to be notified by the company if there is a breach of [their] unsecured confidential health information.” Notably, the company has not replied to requests for comments from multiple media organizations. It’s going to be interesting to see how PHMC handles this crisis. HIPAA breaches can cost up to $50,000 in fines per single violation, not to mention the reputational damage resulting from such a violation. One would hope PHMC is too busy locking down the rest of their systems to reply ….
Further Reading
Secure Compliance Solutions LLC (SCS) provides a wide range of CISO advisory consulting and Managed Security Services that help our clients build and strengthen their strategic Information Security and Data Privacy programs. SCS believes that a comprehensive implementation of industry-tested frameworks and standards not only helps organizations meet their compliance goals, but significantly strengthens overall security posture. We raise awareness of current security trends and risks to prepare personnel to recognize potential security issues. Our Managed Security Service is designed so clients can offload the responsibility of “constant watch” against both internal and external cyber threats and attacks. SCS helps our customers wade through complex and evolving cybersecurity regulations, and defends their business interests against increasingly sophisticated cyber threats. At SCS, we champion a strategy of readiness and resilience that facilitates business risk mitigation and enables dynamic response capabilities. Contact us to learn more.
