Online Portal Glitch Causes California HIPAA Breach

A California Not-for-Profit organization has issued a breach notification after it discovered that an online application it used to process applications was found to be insecure, which may have resulted in the Protected Health Information (PHI) of a number of individuals being disclosed.

The Painted Turtle is a camp for children suffering from life-threatening illnesses and places in the program are provided free of charge. When parents or legal guardians apply for a place at the camp, they are required to enter information into an online portal as part of the application process.

While the system was believed to be secure and HIPAA-compliant, a software glitch potentially resulted in application information being made available to the person who was listed as a reference in the application. The data recorded by the portal includes personal information about the applicant and potentially also Social Security numbers, Driver’s license numbers, personal medical information, employment details and names and addresses. Painted Turtle confirmed that no financial information – bank account details and credit card information – were compromised in the incident.

On discovery of the breach the organization immediately shut down its database while work was completed to repair the glitch. That task has now been completed and the database has been reconfigured to prevent any further disclosures of PHI.

Blake Maher, Executive Director of Painted Turtle, believes the risk of information being exposed is low, as in order for the data to be viewable four conditions must have been met: The applicant must have included a reference in a 2013-2014 application, that reference would also have needed to have started filling out an application on the site; both of those applications would need to be “pending” and the reference would have needed to access the system and click on “show related profiles” as well as enter the individual’s name in order to bring up application information.

None of the information entered would have been viewable if the above conditions were not met and there was no evidence available to suggest that any individual had actually viewed PHI of another applicant. Maher also pointed out that no other individuals other than the reference would have been able to access any stored information.

Even though the risk of PHI being exposed is very low, Painted Turtle has agreed to provide all affected individuals with credit monitoring services free of charge for a period of one year and affected individuals are now being contacted by mail to advise them of the breach. All potential victims will also be covered by a $1,000,000 insurance policy in case their PHI is used to commit fraud.

The glitch was discovered on January 12, 2015, although it is not clear how long the fault was present. According to Painted Turtle, only applicants for the 2013-2014 program have been affected. The organization did not specify how many individuals’ PHI had been compromised as a result of the HIPAA breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.