Physical Therapy Provider Discovers Cloud Storage Account Breach

California-based Silver Creek Fitness and Physical Therapy has been alerted to a potential privacy breach by its billing and software vendors. A cloud storage account containing the protected health information of some of its patients had been left unprotected and could be freely accessed via the Internet.

An unnamed security researcher discovered an Amazon S3 storage account used by the healthcare provider’s billing and software vendors had been improperly secured. The storage account was accessed by the researcher, who succeeded in downloading information from the account.

An investigation into the security breach was launched that showed security protections were not present for a period of four months between May 2016, and September 11, 2016 when the breach was discovered.

The storage account contained highly sensitive patient information including names, prescription details, dates of birth, Social Security numbers, driver’s license numbers, progress notes, Medicare numbers, treatment locations and treatment dates. Information was downloaded by the security researcher on September 10, 2016.

In recent months, several attacks on healthcare providers have occurred in which data were stolen and ransom demands issued. The attackers have threatened to dump the data online or sell PHI to identity thieves on darknet marketplaces if payment is not made. However, that does not appear to be the case in this instance. Silver Creek Fitness and Physical Therapy has reported that the security researcher works for a software company and the downloaded information has now been deleted. The download does not appear to have been performed for any nefarious purpose.

However, out of an abundance of caution, all affected patients have been notified of the incident and provided with complimentary identity theft protection services for 12 months. According to the breach notice submitted to the California attorney general’s office, access to the cloud storage account is now restricted and proper access credentials must be supplied to gain access to the data.

In addition to Silver Creek Fitness and Physical Therapy patients, the privacy incident also impacts patients who received medical services at its locations in Gilroy, Sunnyvale, and Los Gatos. The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 8,009 individuals have been impacted.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.