Share this article on:
The Silver Spring, MD-based gastroenterology group Capital Digestive Care has discovered one of its business associates uploaded files to a commercial cloud server that lacked appropriate security controls, exposing the protected health information of up to 17,639 patients.
The availability of sensitive patient data over the Internet was brought to the attention of Capital Digestive Care on February 23, 2018 and action was promptly taken to secure the files and prevent further unauthorized access.
An investigation into the privacy breach was launched to determine the types of information that had been exposed and the number of patients impacted.
The investigation confirmed some sensitive data had been exposed, although the breach was limited to individuals that had visited its website and submitted information via the Schedule a Visit and Contact pages on the site.
The types of information exposed was limited to names, addresses, email addresses, telephone numbers, and birth dates. Patients may also have had a limited amount of health information exposed. The login page to the patient portal and the Pay a Bill pages were unaffected, so no financial information was exposed. No patient accounts were compromised and Social Security numbers and electronic health records remained secure at all times.
Capital Digestive Care has taken steps to prevent further breaches of PHI. All third-party vendors are now required to confirm compliance with HIPAA Security Rule provisions concerning the secure storage of personal data.
All patients impacted by the incident have been notified by mail and provided with information on monitoring and protecting their personal information.
It is unclear for how long patient data were exposed and how many unauthorized individuals viewed patient information.
Capital Digestive Care has not received any reports to suggest the exposed information has been obtained by unauthorized individuals or misused.