A hacker infiltrated EmCare email accounts, compromising patient and employee data. Meanwhile, a misconfigured database of a rehab center, Steps to Recovery, exposed millions of patient records.
EmCare Data Breach
A Florida physician service vendor EmCare has notified 60,000 patients, employees, and contractors that their personal data was potentially breached after a hack on several employee email accounts according to Health IT Security:
According to officials, EmCare recently discovered an unauthorized individual gained access to a number of employee email accounts. An investigation was launched with the assistance of an outside forensic security firm to determine the scope of the security incident.
On February 19, officials determined the breached accounts contained personal data from patients, contractors, and employees, including demographic information and some clinical data. For some individuals, Social Security numbers, and driver’s licenses were compromised and will receive a year of free identity protection and credit monitoring services.
EmCare has since implemented additional security measures to prevent a recurrence, including “advanced IT solutions” and further employee training on email and IT security.
The notice did not explain when the breach was first discovered. However, the notice was released 60 days after the investigation concluded. Under HIPAA, providers and business associates must report breaches within 60 days of discovering a breach, not after the end of the investigation.
Unsecured Database Exposes Millions of Rehab Records
An independent researcher recently discovered a misconfigured Steps to Recovery database, which left millions of patients’ rehab records exposed to the internet.
On March 24, the security researcher found an ElasticSearch database containing the personally identifiable information of patients who received treatment at the Pennsylvania-based addiction treatment center. The data appeared to include patients who receive services from mid-2016 to late 2018.
Steps to Recovery
The database contained about 4.9 million rows of data, about 1.45 GB in size. The researcher estimated about 146,316 unique patients were included.
“A single Patient ID could have multiple rows of data for different medical procedures,” the researcher wrote. “Based on a random sample of 5,000 rows of data from the ‘infcharges’ index, I observed 267 unique patients – or roughly 5.34 percent were unique.”
“Assuming this trend continues, it would suggest the database contained roughly 146,316 unique patients,” he added. “To reiterate – it’s entirely possible this sample of 5,000 rows of data was not representative of the entire index of data though.”
Access to Anyone
By gaining access to the unsecured database, anyone would be able to locate all medical procedures, the dates of service, the amount billed, and the specific facility from which they received treatment, the researcher explained.
What’s worse is that by using the patient information found in the database, anyone would be able to perform a simple Google search to find even more details about the patient. The researcher could easily piece together the patient’s “age, birthdate, address, past addresses, the names of the patient’s family members, their political affiliation, potential phone numbers, and email addresses.”
The researcher notified Steps to Recovery and the ElasticSearch hosting vendor the same day it was discovered. The hosting vendor confirmed the exposed database was taken down on March 25. Although the research has attempted to reach Steps to Recovery three times, the addiction treatment center has yet to respond.
“It is unclear if Steps to Recovery took this action, or if someone may have been running this database on their behalf,” the researcher wrote. “I found this data leak purely by accident, but a malicious person could have also found this same data, and potentially used it as part of identity theft.”