Server Misconfiguration Results in the Exposure of 42,000 Patients’ PHI
Tens of thousands of patients of a New York medical practice have had their protected health information exposed online due to a misconfigured server. It is currently unclear if anyone other than the security researcher who discovered the problem has accessed the data.
The server misconfiguration was identified on January 25, 2018 by Chris Vickery, director of cyber risk research at Upguard. In a March 26 blog post Vickery explained that he identified an exposed port typically used for remote synchronization (rsync).
While access should have been limited to specific whitelisted IP addresses, the port was misconfigured and allowed anyone to access the data. All that was required to access the server was its IP address.
Vickery identified two sections in the repository, one of which – named backupwscohen – was publicly accessible and contained several files that included highly sensitive information. A virtual hard drive was also accessible that was discovered to contain staff details, including spouse information, children’s names, and in some cases, Social Security numbers. An Outlook pst file was also left unsecured. The file contained a large number of email communications.
Vickery also found a database with more than 42,000 patients’ names, dates of birth, health insurance information, phone numbers, addresses, Social Security numbers, email addresses, ethnicities, and clinical notes. The clinical notes included more than 3 million observations.
Vickery traced the data to the Huntington, New York medical practice of Cohen, Bergman, Klepper & Romano MDs PC. Starting on February 12, Vickery made several attempts to contact the doctors to alert them about the problem. Direct contact was attempted and via a local hospital, with Databreaches.net contacted to assist with locating the physicians.
It took until March 19 for a message to reach the physicians and action to be taken to secure the leaky server. The PHI of all patients has now been secured.