42,000 Patients’ PHI Violated due to Server Misconfiguration

by | Mar 29, 2018

A New York medical practice has revealed that tens of thousands of their patients have had their protected health information exposed online due to an improperly configured server. It is currently not obvious if anyone other than the security researcher who found the problem has accessed the information.

The server misconfiguration was discovered on January 25, 2018 by Chris Vickery, director of cyber risk research based at Upguard. In a March 26 blog post Vickery outlined that he discovered an exposed port normally used for remote synchronization (rsync).

While access should have been restricted to specific whitelisted IP addresses, the port was improperly configured and allowed anyone to view the data. All that was required to log onto the server was its IP address.

Vickery discovered two sections in the repository, one of which – labelled backupwscohen – was publicly accessible and included several files that included highly sensitive data. A virtual hard drive was also accessible that was seen to contain staff details, including spouse details, children’s names, and in some instances, Social Security numbers. An Outlook pst file was also left unprotected. The file included a massive number of email communications.

Vickery also discovered a database with more than 42,000 patients’ details, birth dates, health insurance data, phone numbers, addresses, Social Security numbers, email addresses, ethnicities, and clinical remarks. The clinical notes included over 3 million comments.

Vickery following the data trail to the Huntington, New York medical practice of Cohen, Bergman, Klepper & Romano MDs PC. Beginning on February 12, Vickery made several efforts to reach out to the doctors to warn them about the issue. Direct contact was attempted and through a local hospital, with Databreaches.net contacted to help with locating the physicians.

Action was not taken until March 19 when a message reached the physicians and steps were taken to safeguard the leaky server. The PHI of all patients has now been safeguarded.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy