N.C. State Website Exposes Patient InfoPayment Information Inadvertently Posted for Years
North Carolina's NC OpenBook website aims to provide the public with transparency into state spending. The state, however, recently discovered that some personal data inadvertently posted on the site for years provided too much transparency about some hospital patients.
The North Carolina Department of Health and Human Services last week began notifying 1,315 individuals that information regarding all payments made by North Carolina's state hospital accounts - including those to patients - had been mistakenly posted on the NC OpenBook website for several years.
As a result of the recent focus on the potential security shortcomings of the federal HealthCare.gov website, the public is particularly concerned about the privacy of their sensitive on government systems, says Bill Miaoulis, founder of compliance consulting firm HSP Advisors. Incidents like the one in North Carolina are "a black eye for public trust," he says.
Independent security consultant Tom Walsh says incidents like the one in North Carolina often can be avoided if organizations make sure their information security officers are involved with website development and content and ensure that code is reviewed.
"For many organizations, it is their communications or marketing departments that spearhead the website, without any direct involvement from information security," Walsh says. "In some organizations, the web developers do not report to the IT department, therefore may not be aware of industry standards or IT governance for code development - in particular, code reviews."
Public-facing web applications should be regularly reviewed to address whether additional controls are needed to address ongoing threats and vulnerabilities, Walsh adds.
The NC OpenBook site was created in compliance with an executive order in 2009 by then-Governor Beverly Perdue that required the Office of State Budget and Management to build and maintain a searchable public website on state spending for grants and contracts, including payments to vendors and contractors, according to a statement from the state health department.
The state was posting information on NC OpenBook regarding all payments made through its accounting system, the statement notes. But after the North Carolina health department received a complaint, the current administration of Gov. Patrick McCrory in August discovered that the information being manually posted monthly to NC OpenBook included inappropriate payment data related to state healthcare facilities.
"Among the payments included on NC OpenBook were payments made on behalf of clients or to clients. As with all payments made through the state payment and accounting system, the information listed on NC OpenBook was the name, address, date of payment, dollar amount paid and the name of the facility that made the payment. No account numbers or other identifying information was released."
Ricky Diaz, a state health department spokesman, tells Information Security Media Group the information inadvertently posted included payments, such as refunds, made by state-run healthcare facilities and hospitals, to patients, who were mistakenly listed as vendors in the accounting system.
"They were listed as vendors because they received some type of payment through the state's accounting system, although they were clients/patients in our facilities. Reason for payments varied," he says. The inadvertent payment information involved 11 of North Carolina's 15 state-run healthcare facilities and hospitals, he adds.
Upon discovering the breach, the health department, as well as the Office of State Budget and Management and the Office of the State Controller, took "immediate action," including removing the information from the NC OpenBook site, and ensuring the data was no longer accessible, Diaz says.
"Since the incident, [state agencies] have changed their procedures to ensure this does not happen again," Diaz says.
The health department says it is unaware of any misuse of the information. It has notified the Office for Civil Rights of the U.S. Department of Health and Human Services. But as of Nov. 14, the incident did not yet appear on OCR's "wall of shame" website listing breaches affecting 500 or more individuals.
Miaoulis of HSP Advisors points out that many states release payment information as part of efforts to provide transparency about spending.
"Other states also require public entities - such as government agencies and colleges - to disclose payments including salary payments, consulting payments, etc., to the public," However, the payment information disclosed by North Carolina on its NC OpenBook site was out of scope of what data can be publicly released by the state, he says.Government organizations and their business associates need to pay particular attention to preventing breaches, regardless of whether they are incidents caused by insiders - including intentional deeds and mistakes - or hackers, Miaoulis adds.