Hepatitis Patients' Data ExposedReport: Philadelphia Department of Public Health Exposed Data on Website
The Philadelphia Department of Public Health inadvertently exposed on its website the records of thousands of hepatitis patients, according to a local news report.
The data exposure incident points to the need for better staff training, says Paul Hales, an independent HIPAA attorney. “Staff must be trained to protect health information privacy and properly supervised,” he says. “Ultimately the fault lies with senior management and governing boards who are responsible for compliance within their organization.”
The Philadelphia Inquirer reports that one of its reporters on Oct. 11 discovered the accessible health department data, which included reports of patients diagnosed with hepatitis B or C from 2013 to 2018.
“The reporter discovered the accessible data, which in one case included 23,000 individual records of new cases of hepatitis C,” the newspaper reports.
The Inquirer said it notified the city’s health department, which immediately removed the data from its website. The newspaper says it did not download or preserve the data. “Information included each patient’s name, gender, date of birth, address and test results, and in some cases, Social Security numbers and notes by health providers,” it reports.
It remains unclear how long the data was accessible or what led to it being exposed.
In a statement provided on Monday to Information Security Media Group, the Philadelphia department of public health says it was notified on Oct. 11 that personal health information was available for download on one of the departments webpages. “The information was removed immediately. Since that time, the health department had been working with the vendor and city officials to find out what data was potentially exposed, how many people's records were exposed, and what actions are required be done in response to the exposure,” the statement says.
In the meantime, the health department is undergoing assessing all data available on the website to ensure no other personal information is available and reviewing data presentation policies to prevent other data exposure incidents, the statement says. “As we learn more about what happened and who was affected, we will take appropriate actions.”
The Philadelphia mishap appears to have similarities to a number of other major healthcare data breaches involving misconfigured IT settings.
For instance, among some of the largest health data breaches posted so far this year to HHS’ HIPAA Breach Reporting Tool website was an incident reported in April by Inmediata Health Group. In that incident, the Puerto Rico-based clearinghouse and cloud software services provider said a misconfigured webpage setting potentially exposed protected health information of 1.56 million individuals.
Also, in February, Seattle, Washington-based healthcare system UW Medicine reported to HHS an incident involving a database coding error that exposed PHI of more than 973,000 individuals to internet search engines.
Other Health Department Breaches
Several data breaches involving state government health agencies have been reported to the U.S. Department of Health and Human Services over the years.
Those include a 2014 incident reported by the Montana Department of Public Health and Human Services that affected more than 1.3 million individuals.