HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

3,751 Patients’ PHI Exposed on Internet for More Than 30 Months

The Arc of Erie County New York (The Arc), a provider of person-centered services to individuals with developmental disabilities, has discovered two spreadsheets containing the protected health information of 3,751 patients were accessible on the Internet without the need for authentication for more than 30 months.

Between July 2015 and February 2018, the two spreadsheets could be accessed over the Internet by unauthorized individuals as a result of a coding error on the website. The coding error saw a link included on the website that allowed the spreadsheets to be accessed.

Individuals affected by the breach, many of whom are developmentally disabled, had been enrolled in certain programs offered by The Arc. The Arc spreadsheets contained sensitive information such as names, Social Security numbers and diagnosis codes.

When the error was discovered in February, The Arc deactivated the link to prevent any further disclosures of PHI and contacted a computer forensics and data security firm to investigate the breach and help take corrective action to limit the harm caused to patients. The Arc has also contacted search engine providers to remove any reference to the information from the search engine listings. It is unclear whether the spreadsheets were accessed by unauthorized individuals and if any PHI has been viewed or copied.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

All affected individuals have been notified of the breach and offered complimentary credit monitoring and identity theft protection services for 12 months.

To prevent further privacy breaches, The Arc has reviewed and updated its policies and practices and strengthened its privacy and data security practices. Additional training has also been given to appropriate staff.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.