Patient Data Exposed on App Development Site for Two YearsIowa Incident Highlights Need to Protect Data During Projects
A recent breach reported by University of Iowa Health Care that involved exposing patient data on an application development site for nearly two years illustrates the need to carefully guard against exposure of sensitive data on the internet.
UI Health Care tells Information Security Media Group in a statement that on April 29, the organization discovered that in May 2015, protected health information of approximately 5,300 patients at University of Iowa Hospitals and Clinics was inadvertently saved in unencrypted files that were posted online on an application development site.
The organization learned of data exposure through a tip from someone who discovered the unsecure data while "referencing information from the site," a spokesman for the organization says.
UI Health Care says that upon learning of the mistake, it "acted immediately and deleted the files on May 1, 2017."
Privacy attorney Kirk Nahra of the law firm Wiley Rein says software development projects appear to be a frequent risk for breaches involving health data.
"It should be an easy thing to address, but for whatever reason, it seems to be an ongoing area where companies don't always act appropriately," he says. "There's an education element to this for employees, and there needs to be a particular emphasis on how these developers work."
Mac McMillan, president of security consulting firm CynergisTek, notes: "Any time you are dealing with a web-enabled tool and handling sensitive information, special care must be taken. Developing protocols for this ahead of time and requiring reviews by a second party before posting or going live and periodically reviewing are prudent steps to take."
An investigation found that the Iowa mishap occurred when "an employee used this open source programming tool as part of an application development for UI Health Care operations. The files were not made private and were left on the site after the work was completed," the spokesman says.
The organization says its investigation revealed that the information in the electronic files included patient names, dates of admission and medical record numbers.
"UI Health Care has no indications that information in the electronic files was misused or further disclosed. While the information included in the files was very limited, we are advising individuals of steps to help prevent and detect misuse of the information," the organization tells ISMG.
The organization is not offering free credit nor identity theft monitoring, the spokesman says.
The incident is posted on the Department of Health and Human Services' so-called "wall of shame" tally of major health data breaches as an "unauthorized access/disclosure" breach affecting 5,292 individuals that was reported on June 22.
UI Health Care says it's taking steps to bolster security and prevent similar incidents.
That includes more rigorous oversight and training of staff and students on the importance of protecting PHI, the spokesman says.
As part of that effort, UI Health Care is "tightening the process for the development and management of custom databases; educating staff and students about how and when to use the tools designed to store and move sensitive data sets; and enhancing employee training on data privacy for all who develop applications," he says.
UI Health Care is certainly not the first organization to report a major breach involving unsecured health data accessible on the internet.
That includes other incidents also involving mistakes made during software development-related work. For instance, in June 2015, an error in a coding upgrade for a Blue Shield of California website resulted in a breach affecting 843 individuals whose PHI was left accessible via a website.
Also, in the early weeks of the launch of the Obamacare website HealthCare.gov in the fall of 2013, a software glitch allowed a North Carolina consumer to access personal information of a South Carolina man. HHS' Centers for Medicare and Medicaid Services said at the time that the mistake was "immediately" fixed once the problem was reported. Still, the incident raised more concerns about the overall security of the Affordable Care Act health information exchange site (see HealthCare.gov: Rebuilding Trust).
OCR has penalized at least one healthcare organization for an incident involving PHI left accessible on the internet.
In 2009, OCR investigated Phoenix Cardiac Surgery P.C. following a report that the practice was posting clinical and surgical appointments for its patients on an internet-based calendar that was publicly accessible. Then in 2012, the practice signing an OCR resolution agreement that included a corrective action plan and a $100,000 penalty.
McMillan says breaches involving sensitive data being left exposed on the web as a result of development or software testing work are "a lot more prevalent than we know." That's primarily due to the "lack of good processes around these practices and the latent discovery," he contends.
He advises entities to consider developing a set of test data that can be used for these purposes that won't expose the organization to risk if it's compromised.