HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online

Highly sensitive medical records of thousands of patients of New York’s Bronx Lebanon Hospital Center have been exposed online. Those records were reportedly accessible for three years as a result of a misconfigured backup server.

The exposed records were uncovered by researchers at the Kromtech Security Research Center after conducting a “regular security audit of exposed rsync protocols on Shodan,” a search engine that can be used to find networked devices. Rsync backup servers are used for transferring files between computer systems and for file syncing.

The records were not encrypted nor protected with a password and could have been downloaded by any individual who knew where to look.

It is currently unclear exactly how many patient records were exposed, with initial reports indicating tens of thousands of patients may have been affected. NBC’s Mary Emily O’Hara recently reported that the breach has impacted at least 7,000 individuals.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The misconfiguration allowed the researchers to view highly sensitive information including names, addresses, medical diagnoses, health histories and highly sensitive data including HIV statuses, reports of domestic violence, sexual assaults and addiction histories.

It was not initially clear to whom the data belonged, although the records were eventually traced to the Bronx Lebanon Hospital Center, with the backup device linked to iHealth Innovations, a Louisville, KY-based IT services and records management company.

In a recent blog post, MacKeeper researcher Bob Diachenko explained that efforts were made by Kromtech to contact the owners of the data, with assistance provided by Databreaches.net. In a statement provided to databreaches.net, Diachenko confirmed there has been no improper usage of the data by the Kromtech researchers.

While the majority of data appear to relate to patients of the Bronx Lebanon Hospital Center, it is unclear at this stage whether patients of other healthcare providers have also been affected.

iHealth has confirmed that a breach has occurred and the incident has been investigated. While the investigation is ongoing, iHealth says the investigation revealed that only one individual had accessed the data – the Kromtech researcher who discovered the error.

The server has now been reconfigured to prevent further access and the investigation is continuing, with a third-party cybersecurity company called in to validate iHealth’s analysis. The breach has been reported to law enforcement and Bronx Lebanon Hospital Center is assisting with the investigation.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.