The Arc of Erie County New York (The Arc), a supplierer of person-centered services to people with developmental disabilities, has found that two spreadsheets holding the protected health information of 3,751 patients were accessible on the Internet with no requirement need for secure authentication for over 30 months.
From July 2015 and February 2018, the two spreadsheets could be viewed online by unauthorized people due to a coding mistake on the website. The coding mistake saw a link published on the website that allowed the spreadsheets to be viewed.
Individuals impacted by the breach, many of whom are developmentally disabled, had been enrolled in certain programs provided by The Arc. The Arc spreadsheets included sensitive data such as names, Social Security details and diagnosis codes.
When the mistake was identified in February, The Arc deactivated the link to stop any further disclosures of PHI and hired a computer forensics and data security firm to look into the breach and help take corrective action to restrict the harm caused to patients. The Arc has also reached out to search engine providers to remove any reference to the data from the search engine listings. It is unclear whether the spreadsheets were seen by unauthorized peoples and if any PHI has been viewed or duplicated.
All affected people have been alerted of the breach and offered free credit monitoring and identity theft protection services for one year.
To avoid further privacy violations, The Arc has overlooked and updated its policies and practices and enhanced its privacy and data security policies. Extra training has also been given to certain relevant employees.