Unsecured Folder Leads to Big BreachMistakes that Expose Data on Internet Called Relatively Common
A breach affecting more than 307,000 patients that occurred when an unsecured folder of data was "inadvertently" left accessible via the Internet is the largest incident posted in recent weeks on the federal healthcare data beach tally.
Touchstone Medical Imaging, a Brentwood, Tenn.-based provider of diagnostic imaging services nationwide, says it became aware in May "that a seldom-used folder containing patient billing information relating to dates prior to August 2012 had inadvertently been left accessible via the internet," according to a statement posted on the company's website.
Some security experts say this type of vulnerability - where unsecured patient data is left accessible via the Internet - unfortunately is relatively common among healthcare organizations.
"Companies large and small cannot control 100 percent what employees do," says Kevin Wetzel, CEO of the security consulting firm SLC Security Services LLC. "The human element will always be the weakest link in protecting PHI/PII," says Wetzel, whose firm has been notifying organizations in several sectors, including healthcare, of these kinds of incidents when its researchers discover them on the Internet through monitoring.
"We have seen ... persons attaching files to e-mail them home and inadvertently sending them to the wrong person," Wetzel says. "We have seen employees, wanting to be able to work from home, upload files to Dropbox or Google Documents and forgetting about them and the fact that the folder they copied them to was set to 'public' - and could be searched ..." he says.
As of Oct. 20, the Department of Health and Human Services' "wall of shame" website, which lists breaches affecting 500 or more individuals, included 1,135 incidents -including Touchstone's - affecting more than 39 million people since September 2009, when the HIPAA breach notification rule first went into effect. That's up from 1,126 breaches affecting 38.7 million individuals as of Sept. 23.
In its statement, Touchstone says that upon learning that the folder was accessible via the Internet, "we immediately secured the folder and removed it from public view. We also began an internal investigation, which initially led us to believe that the patient information in the folder was not readable. However, on Sept. 5, 2014, we obtained new information that suggested that the patient information may have been readable and included patients' names, dates of birth, addresses, telephone numbers, health insurer names, radiology procedures, diagnoses and in some instances, Social Security numbers. Medical records were not included."
The medical imaging firm says the incident only affected patients who had radiology procedures before August 2012. "We have no knowledge and there is no indication that any patient information has been used improperly. However, in an abundance of caution, we began sending letters to affected patients on Oct. 3, 2014," the statement notes.
Touchstone did not respond to an Information Security Media Group request for additional details about the incident.
Privacy expert Kate Borten, founder of consulting firm The Marblehead Group, says unsecure files left accessible to the Internet can be a sign of deeper security control issues.
"There seems to be a lack of details about how this happened [at Touchstone], but in any case, unrestricted Internet access to a healthcare organization's network servers and file shares is an immediate red flag," she says.
"It sounds like a case of inadequate oversight and controls on the private network by the IT staff. This type of information should have been limited to a subset of the organization's workers and should absolutely require logon through a unique user ID and a password, at the bare minimum. Aside from the fact that the PHI was exposed to the entire organization, it's stunning to think that the network controls were so weak that anyone on the Internet could access this data. It also raises the question of what other data was exposed."
Breaches involving unsecure patient data accessible via the Internet have already caught the eye of federal regulators in past enforcement cases.
In 2012, HHS' Office for Civil Rights smacked a $100,000 HIPAA penalty and a corrective action plan against Phoenix Cardiac Surgery P.C. when an investigation revealed the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.
As for the Touchstone incident, "once a file is out there and publicly accessible there is no way to get the data back," Wetzel says. "Internet archival systems ... may store a copy of it, Google may have a cached copy, private companies and individuals may make a copy for their use such as what we do with our [internet intelligence monitoring] service,' he says. "Once the data is out there even for a few minutes the likelihood of another entity obtaining it and making a copy is [high]."
To avoid Touchstone-type breaches, Wetzel says his firm advises clients to not allow employees to post files to Google Documents, file sharing applications, Dropbox and peer-to-peer networks. Additionally, he suggests clients disable thumb drives and implement e-mail auditing systems.