42,000 Patients’ PHI Violated due to Server Misconfiguration

A New York medical practice has revealed that tens of thousands of their patients have had their protected health information exposed online due to an improperly configured server. It is currently not obvious if anyone other than the security researcher who found the problem has accessed the information.

The server misconfiguration was discovered on January 25, 2018 by Chris Vickery, director of cyber risk research based at Upguard. In a March 26 blog post Vickery outlined that he discovered an exposed port normally used for remote synchronization (rsync).

While access should have been restricted to specific whitelisted IP addresses, the port was improperly configured and allowed anyone to view the data. All that was required to log onto the server was its IP address.

Vickery discovered two sections in the repository, one of which – labelled backupwscohen – was publicly accessible and included several files that included highly sensitive data. A virtual hard drive was also accessible that was seen to contain staff details, including spouse details, children’s names, and in some instances, Social Security numbers. An Outlook pst file was also left unprotected. The file included a massive number of email communications.

Vickery also discovered a database with more than 42,000 patients’ details, birth dates, health insurance data, phone numbers, addresses, Social Security numbers, email addresses, ethnicities, and clinical remarks. The clinical notes included over 3 million comments.

Vickery following the data trail to the Huntington, New York medical practice of Cohen, Bergman, Klepper & Romano MDs PC. Beginning on February 12, Vickery made several efforts to reach out to the doctors to warn them about the issue. Direct contact was attempted and through a local hospital, with Databreaches.net contacted to help with locating the physicians.

Action was not taken until March 19 when a message reached the physicians and steps were taken to safeguard the leaky server. The PHI of all patients has now been safeguarded.