Share this article on:
Highly sensitive medical records of thousands of patients of New York’s Bronx Lebanon Hospital Center have been exposed online. Those records were reportedly accessible for three years as a result of a misconfigured backup server.
The exposed records were uncovered by researchers at the Kromtech Security Research Center after conducting a “regular security audit of exposed rsync protocols on Shodan,” a search engine that can be used to find networked devices. Rsync backup servers are used for transferring files between computer systems and for file syncing.
The records were not encrypted nor protected with a password and could have been downloaded by any individual who knew where to look.
It is currently unclear exactly how many patient records were exposed, with initial reports indicating tens of thousands of patients may have been affected. NBC’s Mary Emily O’Hara recently reported that the breach has impacted at least 7,000 individuals.
The misconfiguration allowed the researchers to view highly sensitive information including names, addresses, medical diagnoses, health histories and highly sensitive data including HIV statuses, reports of domestic violence, sexual assaults and addiction histories.
It was not initially clear to whom the data belonged, although the records were eventually traced to the Bronx Lebanon Hospital Center, with the backup device linked to iHealth Innovations, a Louisville, KY-based IT services and records management company.
In a recent blog post, MacKeeper researcher Bob Diachenko explained that efforts were made by Kromtech to contact the owners of the data, with assistance provided by Databreaches.net. In a statement provided to databreaches.net, Diachenko confirmed there has been no improper usage of the data by the Kromtech researchers.
While the majority of data appear to relate to patients of the Bronx Lebanon Hospital Center, it is unclear at this stage whether patients of other healthcare providers have also been affected.
iHealth has confirmed that a breach has occurred and the incident has been investigated. While the investigation is ongoing, iHealth says the investigation revealed that only one individual had accessed the data – the Kromtech researcher who discovered the error.
The server has now been reconfigured to prevent further access and the investigation is continuing, with a third-party cybersecurity company called in to validate iHealth’s analysis. The breach has been reported to law enforcement and Bronx Lebanon Hospital Center is assisting with the investigation.