HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Florida County Drug Screening Lab Exposed Sensitive Data Online for 4 Years

A misconfiguration of an internal website portal used by a Florida county drug screening lab exposed sensitive information online for a period of more than four years.

St. Lucie County’s drug screening lab (SLC Lab) provides drug testing services for employment, court cases, and other purposes. The configuration error was discovered on October 13, 2021, and the issue was immediately corrected.

Assisted by third-party cybersecurity professionals, the country determined on December 28, 2021, that the configuration error occurred on June 2, 2017. From June 2, 2017, to October 13, 2021, sensitive data were accessible to certain portal users, including full names, dates of birth, Social Security numbers, and limited information related to the type of drug test performed and the result of the lab test.

While sensitive data were exposed via the web portal for 4 years, SLC Lab said it has not been notified about any cases of improper use of any of the exposed information and is unaware of any cases of identity theft or fraud as a result of the portal misconfiguration.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

SLC Lab did not disclose in its breach notifications how many individuals have been affected, but the breach notice submitted to the Maine Attorney General says the sensitive information of 14,528 individuals was exposed. Notification letters started to be sent to those individuals on January 20, 2022. Complimentary credit and identity theft monitoring services have been offered to affected individuals.

SLC Lab said it is committed to maintaining the privacy of personal information and has taken many precautions to ensure sensitive information is safeguarded and will continue to evaluate and modify its practices and internal controls to improve the security and privacy of personal information.

While the exposed data include information classed as protected health information if held by a HIPAA-covered entity, this does not constitute a HIPAA breach as SLC Lab is not a HIPAA-covered entity with respect to the exposed data.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.