We have another data breach on our hands. But this time, it’s not exactly what you expect. Sensitive medical records, lab test results and other patient files belonging to an estimated 150,000 Americans were unearthed online by security researchers late last month. The records were discovered by researchers at the Kromtech Security Center and the data had been stored on an unsecured Amazon S3 bucket. According to Kromtech, the files were publicly accessible and unprotected by a password. After a cursory examination of the contents, it was revealed that a wide range of sensitive details about patients had been released. Including names, addresses, diagnoses and test result information.
Is this bigger, or worse than the Equifax breach? It certainly isn’t good. This kind of information shouldn’t be leaked, regardless. The sheer numbers with this leak indicate that it’s not as bad, but it still isn’t good. The files have been linked to a healthcare services company – Patient Home Monitoring Corporation (PHM). PHM provides US patients with in-home monitoring and disease management services. The data breach itself contained about 47 GB of data and over 300,000 PDF files. I’m concerned about how this information could be used.
The breach was first discovered on September 29th. On October 5th, PHM was alerted that sensitive medical records belonging to the company had been exposed. Following notification, the bucket was then secured on the same day. Alex Kernishniuk, Kromtech’s Vice President of Strategic Alliances had this to say about the breach:
“This Amazon repository was misconfigured to be publicly available and anyone with an internet connection could access these confidential medical records. Even the most basic security measures would have prevented this data breach.”
In addition to names, addresses, and other contact information, many of the records contained dates of birth and the names of physicians overseeing the care of the patients. This information is subject to strict safeguards under the Health Insurance Portability and Accountability Act (HIPAA). Why do these data breaches keep happening? Is there anything that can be done to prevent the breaches from happening in the first place?
Companies, like PHM, are required, by law to develop and implement policies and procedures to help protect any electronic protected health information they “create, receive, maintain or transmit”. Under HIPAA’s Breach Notification Rule, healthcare providers are required to notify patients affected by the data breach without any unreasonable delay. More specifically, they are required to notify within 60 days following the discovery of the breach. But is that soon enough? To me, that seems like a long time between when a breach occurs, and when the individuals are notified. Don’t you think?
Additionally, if the provider has “insufficient” or out-of-date contact information for 10 or more patients, they are required to post notification of the breach on their website for at least 90 days or circulate information about the breach to major print and broadcast media outlets in areas where the affected patients reside. They are also required to notify major media outlets in any jurisdiction or state where more than 500 affected patients reside. HIPAA violations also carry financial penalties. In cases where the provider could not reasonably be expected to know about the breach, the fines may be as low as $100/incident. But in extreme circumstances, and if the provider is found to have acted with “willful neglect”, fines can reach up to $1.5 million per year, for each violation.
To conclude, I will leave you with a statement made by Kromtech. It sounds a bit like they’re trying to shift blame, but what they’re saying does sound plausible:
“Sadly the US has the most expensive, least effective health care system by nearly every measurement. Complex insurance rules and distorted market signals create massive inefficiencies, frustrated patients, and providers burdened by excessive paperwork. No one will deny that digital records and patient home monitoring could bring some much-needed efficiency, however protecting that valuable medical data is a priority that must be taken seriously.”