Share this article on:
The Arc of Erie County New York (The Arc), a provider of person-centered services to individuals with developmental disabilities, has discovered two spreadsheets containing the protected health information of 3,751 patients were accessible on the Internet without the need for authentication for more than 30 months.
Between July 2015 and February 2018, the two spreadsheets could be accessed over the Internet by unauthorized individuals as a result of a coding error on the website. The coding error saw a link included on the website that allowed the spreadsheets to be accessed.
Individuals affected by the breach, many of whom are developmentally disabled, had been enrolled in certain programs offered by The Arc. The Arc spreadsheets contained sensitive information such as names, Social Security numbers and diagnosis codes.
When the error was discovered in February, The Arc deactivated the link to prevent any further disclosures of PHI and contacted a computer forensics and data security firm to investigate the breach and help take corrective action to limit the harm caused to patients. The Arc has also contacted search engine providers to remove any reference to the information from the search engine listings. It is unclear whether the spreadsheets were accessed by unauthorized individuals and if any PHI has been viewed or copied.
All affected individuals have been notified of the breach and offered complimentary credit monitoring and identity theft protection services for 12 months.
To prevent further privacy breaches, The Arc has reviewed and updated its policies and practices and strengthened its privacy and data security practices. Additional training has also been given to appropriate staff.