25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Server Misconfiguration Results in the Exposure of 42,000 Patients’ PHI

Posted By on Mar 28, 2018

Tens of thousands of patients of a New York medical practice have had their protected health information exposed online due to a misconfigured server. It is currently unclear if anyone other than the security researcher who discovered the problem has accessed the data.

The server misconfiguration was identified on January 25, 2018 by Chris Vickery, director of cyber risk research at Upguard. In a March 26 blog post Vickery explained that he identified an exposed port typically used for remote synchronization (rsync).

While access should have been limited to specific whitelisted IP addresses, the port was misconfigured and allowed anyone to access the data. All that was required to access the server was its IP address.

Vickery identified two sections in the repository, one of which – named backupwscohen – was publicly accessible and contained several files that included highly sensitive information. A virtual hard drive was also accessible that was discovered to contain staff details, including spouse information, children’s names, and in some cases, Social Security numbers. An Outlook pst file was also left unsecured. The file contained a large number of email communications.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Vickery also found a database with more than 42,000 patients’ names, dates of birth, health insurance information, phone numbers, addresses, Social Security numbers, email addresses, ethnicities, and clinical notes. The clinical notes included more than 3 million observations.

Vickery traced the data to the Huntington, New York medical practice of Cohen, Bergman, Klepper & Romano MDs PC. Starting on February 12, Vickery made several attempts to contact the doctors to alert them about the problem. Direct contact was attempted and via a local hospital, with Databreaches.net contacted to assist with locating the physicians.

It took until March 19 for a message to reach the physicians and action to be taken to secure the leaky server. The PHI of all patients has now been secured.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist