Share this article on:
Best Health Physical Therapy LLC has notified 1,100 patients that some of their electronic protected health information has potentially been accessed and downloaded by a third party.
The data breach occurred at Best Health Physical Therapy’s billing service provider, Rehab Billing Solutions (RBS). Best Health Physical Therapy was notified of the breach on September 23, 2016 after RBS was contacted by MacKeeper security researcher Chris Vickery and advised that client data had been exposed and was freely accessible online.
Patient records were stored on Amazon’s Simple Storage Service (S3) by RBS; however, Vickery discovered the records had not been secured. Without controls to prevent access, Vickery was able to gain access to more than 260,000 files. Those files contained 61GB of confidential data.
The breach affected approximately 30 clients of RBS including Best Health Physical Therapy. Vickery notified Databreaches.net of the data exposure in September and assistance was provided notifying affected parties. After learning of the lack of protections, RBS acted quickly and secured its Amazon S3 account. According to RBS, data were exposed as a result of a misconfiguration when setting up the account. Data were accessible online for a number of months.
Upon learning of the breach, Best Health Physical Therapy conducted a full investigation to determine which data had been accessed and how many patients were affected. It was ascertained that the exposed data included patients’ names, addresses, birth dates, health insurance information, driver’s license details, and some health information.
Vickery confirmed that while he accessed some of the data, none of the information viewed or downloaded would be used or disclosed. However, it has not been possible to determine whether any other individuals also accessed or downloaded patient health information during the time data were exposed.
Best Health Physical Therapy has confirmed that updated access controls have been implemented to ensure sensitive data can no longer be accessed, although the decision was taken to terminate the relationship with its vendor as a result of this security breach.
Breach notification letters have now been sent to affected patients explaining the steps that can be taken to protect identities and financial information. All patients affected by the incident have also been offered credit monitoring and protection services for twelve months without charge.
RBS has now notified all of its clients of the breach, although RBS has not submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights. Each affected client will be notifying OCR of the incident separately. It is therefore probable that many more breach reports will appear on the OCR breach portal over the coming days with the HIPAA Breach Notification Rule reporting deadline fast approaching.