A improperly configured security setting on a radiology interface has lead to the exposure of tens of thousands of patients’ protected health data.
A multi-specialty physicians’ organization based in Middleton, NY, Middletown Medical, first noticed the misconfigured security setting on January 29, 2018.
The next day the interface was reconfigured to ensure unauthorized people could not access patient information. It is not clear for how long patient data remained accessible. Middletown Medical says only a restricted number of patients’ PHI could have been obtained by unauthorized people.
Highly sensitive details including financial data, Social Security numbers, and insurance information were not accessed. The breach was restricted to names, client identification numbers, birthdays, confirmation that radiology services had been received by clients, and the dates those services took place. A lsmall number of patients also had diagnosis codes, radiology images and radiology reports obtained.
After finding the breach, Middletown Medical looked over its polices and procedures and implement additional security measures to ensure the confidentiality of documents containing PHI. Additional training has been given to staff on securing data storage systems and modifications have been applied to interfaces to ensure all information remains safeguarded.
No indications of misuse of PHI have been found although, as a precautionary measure, all patients affected by the breach have been offered free identity theft recovery services for one year and have been told to carefully monitor their account statements and Explanation of Benefits statements for any sign or fraudulent behavior.
The data breach summary filed to the Department of Health and Human Services’ Office for Civil Rights (OCR) shows up to 63,551 patients had their PHI accessed, making this one of the biggest healthcare security incidents to be reported so far in 2018.