Chiropractic Clinics Alert Patients to Billing Vendor Breach

Two providers of chiropractic services in California have started notifying their patients of a security breach affecting their billing software company.

Luque Chiropractic, Inc., and Watsonville Chiropractic, Inc., were alerted to a cloud storage account breach on November 18, 2016., following a data security incident that saw patient data accessed by an unauthorized individual.

The breach was experienced by EMR4all, Inc., and affected clients that used the company’s associated billing service.

EMR4all, Inc provides free EMR software for physical therapy, occupational therapy, and chiropractic practices throughout the United States, while billing services are provided by Rehab Billing Solutions.

In early September, security researcher Chris Vickery discovered a cloud storage account used by EMR4all/Rehab Billing Solutions could be freely accessed via the Internet. The cloud storage account contained the health records and personal information of many thousands of patients from more than 30 providers of physical therapy and chiropractic services.

Vickery was able to access and download the data from the account. In total, around 61GB of data – and approximately 240,000 unencrypted files – were stored in the account.

Luque Chiropractic and Watsonville Chiropractic were informed that their patients’ names, addresses, birth dates, medical diagnoses, Social Security numbers, treatment dates, and treatment locations, had been compromised and had potentially been accessed.

The data in the account was downloaded by Vickery on September 10, 2016, although the account was left unsecured for a period of around 4 months from May 2016 to September 2016.

As soon as the billing service provider was informed of the lack of security protections, rapid action was taken to secure the account. Proper access credentials are now required to access patient data.

Vickery only downloaded the data for the purpose of highlighting the lack of security protections and to ensure that all companies/individuals affected could be notified. Vickery has agreed to delete the data and not to disclose the information to any other individuals. However, it is possible that other individuals may have accessed the data during the time that the storage account was left unprotected. To date, Luque Chiropractic, Inc., and Watsonville Chiropractic have not received any reports to suggest that patient data have been used inappropriately.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.