Patient Records Exposed in New Breach
Patient Health Records Exposed
The fun never ends in the cybersecurity world. Researchers at Kromtech Security Researchers recently disclosed the existence of yet another insecure AWS server. This time, the server stored the most sensitive of all data – patient health records.
What’s Happened
On Sept. 29th, Kromtech discovered a new insecure server, owned by Patient Home Monitoring Corp. (PHMC). PHMC accidentally changed configuration settings to make the server “Public” instead of “Private”, the default setting. The result? Public exposure of 316,363 separate PDFs (41.5 GB) containing extremely sensitive patient records. Files have included doctors’ notes, lab results, names, and personal contact info. Since PHMC provides at-home blood tests, almost all the data the PHMC has on someone got exposed in this breach. All told, the researchers believe that these PDFs expose the health data of up to 150,000 Americans. Kromtech notified PHMC of what they found on Oct 5th, and the company fixed the issue the next day.
This breach is especially interesting due to HIPAA regulations. According to Fierce Healthcare, HIPAA regulations require notification of affected parties within 60 days of a data breach. If the breach impacts over 500 people, the company must also notify the US Department of Health and Human Services. The company’s own privacy policy states that patients “have a right to be notified by the company if there is a breach of [their] unsecured confidential health information.” Notably, the company has not replied to requests for comments from multiple media organizations. It’s going to be interesting to see how PHMC handles this crisis. HIPAA breaches can cost up to $50,000 in fines per single violation, not to mention the reputational damage resulting from such a violation. One would hope PHMC is too busy locking down the rest of their systems to reply ….
Further Reading
Secure Compliance Solutions LLC (SCS) provides a wide range of CISO advisory consulting and Managed Security Services that help our clients build and strengthen their strategic Information Security and Data Privacy programs. SCS believes that a comprehensive implementation of industry-tested frameworks and standards not only helps organizations meet their compliance goals, but significantly strengthens overall security posture. We raise awareness of current security trends and risks to prepare personnel to recognize potential security issues. Our Managed Security Service is designed so clients can offload the responsibility of “constant watch” against both internal and external cyber threats and attacks. SCS helps our customers wade through complex and evolving cybersecurity regulations, and defends their business interests against increasingly sophisticated cyber threats. At SCS, we champion a strategy of readiness and resilience that facilitates business risk mitigation and enables dynamic response capabilities. Contact us to learn more.
Recent Posts
Categories
Posts by Month
- November 2024 (1)
- October 2024 (1)
- August 2024 (1)
- June 2024 (1)
- April 2024 (2)
- February 2024 (1)
- October 2023 (1)
- February 2023 (1)
- November 2021 (2)
- October 2021 (1)
- December 2020 (2)
- November 2020 (2)
- October 2020 (4)
- September 2020 (1)
- August 2020 (1)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2018 (1)
- March 2018 (5)
- February 2018 (3)
- January 2018 (5)
- December 2017 (3)
- November 2017 (3)
- October 2017 (6)
- May 2017 (1)
- January 2016 (3)
- November 2015 (1)
- October 2015 (1)