Transcribed Medical Records Exposed on the WebExperts Offer Insights on How to Avoid Similar Security Blunders
Children's National Health System in Washington is blaming a medical transcription company's misconfigured file server for a data breach that exposed thousands of patient records on the web.
The incident points to the need for healthcare organizations and their business associates to take extra precautions to ensure that protected health information isn't inadvertently exposed on web servers.
"Due to changes and upgrades to systems, a system that is secure today could become vulnerable with the next change - thus the need to repeat the vulnerability scan periodically," says Mark Dill, former longtime CISO at the Cleveland Clinic who is now a principal consultant at tw-Security.
In a statement posted on its website, the pediatric health system says that it became aware on Feb. 25 that Ascend Healthcare Systems, a dictation vendor based in Centreville, Va., had inadvertently misconfigured a file server that contained patient information. "This might have allowed access from the internet to transcription documents for as many as 4,107 Children's National patients via a File Transfer Protocol server from Feb. 19, 2016 to Feb. 25, 2016."
In a separate "notice to patients," Children's National adds that the FTP server mishap enabled the web-exposed transcriptions to be "located through a search engine, such as Google."
When Children's National was made aware of the exposed data by an unnamed party, it immediately contacted Ascend about securing the server and removing the pediatric healthcare provider's transcription documents, the healthcare provider says.
Ascend provided medical transcription services to Children's National for only a brief period - May 1, 2014, to June 23, 2014 - a Children's National spokeswoman tells Information Security Media Group. The healthcare provider decided in the spring of 2014 to discontinue its use of Ascend's transcription services in favor of working with another vendor for reasons unrelated to security, she says.
Ascend provides medical transcription services to organizations across the nation, Children's National notes in its statement. "This [unsecured Ascend server] might have allowed access from the internet to transcription documents from a number of healthcare entities, including Children's National," the healthcare provider contends.
The transcription company did not immediately respond to ISMG's request for comment on the incident and whether other healthcare providers were impacted by the unsecured server.
In addition to patient data being exposed on Ascend's unsecured file server, Children's National says Ascend failed to comply with terms of its contract with the healthcare provider. In its statement, Children's National says that Ascend was "required under contract to maintain privacy of patient records," adding that when it ceased doing business with Ascend on June 23, 2014, "as part of that separation, Ascend was contractually obligated to delete all Children's patient information."
Patient data potentially exposed in the incident, according to the healthcare provider, includes names, dates of birth, medications and physicians' notes regarding diagnosis and treatment. The Children's National spokeswoman says the information was part of physician notes dictated about patient visits. "We have no reason to believe at this time that the information has been viewed by unauthorized parties or that it has been taken or misused," Children's National says in its statement.
Because no financial information or Social Security numbers were exposed in the incident, Children's National is not offering credit monitoring services, the spokeswoman says.
In another recent data breach, Children's National in February 2015 reported to the U.S. Department of Health and Human Services that a phishing email to the organization's employees resulted in a hacking incident affecting more than 18,000 patients, according to HHS' "wall of shame" website listing health data breaches affecting 500 or more individuals.
A number of other healthcare organizations have reported incidents involving data compromised on the web as a result of security mishaps.
In March, St. Joseph Health System in California agreed to a $28 million settlement of a lawsuit stemming from such a breach. That incident involved medical information of patients at nearly a dozen hospitals that was publicly accessible online via search engines for about a year starting in February 2011.
And in December 2013, Cottage Health System in California notified about 32,500 patients that their personal and health information had been exposed on Google for 14 months because of a lapse in a business associate's protections for one of its servers.
The Cottage Health incident also set off a series of legal problems for the healthcare provider, including a class action lawsuit that also was later settled. Subsequently, Columbia Casualty, a cyber insurer that paid more than $4 million, plus defense attorney expenses, to settle the suit on behalf of Cottage Health, filed its own suit against the healthcare organization in an attempt to claw back those payments (see Insurer Seeks Breach Settlement Repayment).
The exposure of patient data on the web has also prompted sanctions from federal regulators.
Last year, HHS' Office for Civil Rights Federal slapped St. Elizabeth's Medical Center in the Boston area with a $218,000 HIPAA settlement after an investigation following two security incidents. One involved staff members using a website to share documents containing patient data without first assessing risks.
Preventing These Breaches
Healthcare organizations and their business associates can take several steps to reduce the risk of exposing patient data on the web.
"Accidental misconfigurations of internet-facing systems is always a possibility," notes Keith Fricke, a principal consultant at security consultancy tw-Security. "System administrators can reduce that risk by testing access after changes are made to ensure the expected controls are active. Criminals continue to scan the internet for targets of opportunity; they can stumble upon web servers that are missing security patches or are misconfigured."
Penetration testing, vulnerability assessments and secure configuration practices are necessary to prevent and discover this type of problem before it leads to a breach, Dill adds.
In addition, the incident affecting patients at Children's National is a reminder of the importance of scrutinizing the security procedures of business associates.
"It is incumbent on every provider to go beyond a BA contract signature to vet the security profile of each partner," Dill says. "In this case, asking the BA to provide evidence that they securely configure public-facing servers, patch them, manage their changes, scan them for vulnerabilities, fix critical flaws quickly and [schedule] periodic penetration tests by a qualified third party would have been prudent."