Breach of Patient Data at New Jersey Healthcare Provider Found Due to Unprotected Data Server

Security researcher Jeremiah Fowler discovered an unsecured healthcare database containing about 37,000 records on March 1, 2019. A brief review of the database revealed that the records belonged to Home Health Radiology Services LLC, a healthcare provider in New Jersey.

The database comprised highly sensitive patient data including names, addresses, telephone numbers, and birth dates together with diagnoses, medical notes, treatment data, insurance details, and in some instances, Social Security numbers.

In one securitydiscovery.com blog post, Fowler mentioned that there were 37,000 case files together with 1,540 doctor’s data records, chat records, email messages, support tickets, and other sensitive files found. The records were mainly found in an Elastic database that was accessible online by any person without requiring any authentication.

Upon being informed about the unsecured database, Home Health Radiology Services immediately secured the database to avert further unauthorized access. There is no information about the length of time the database was accessible online and if anybody aside from Fowler accessed the data.

This breach is just one many similar incidents that have happened due to the removal of server and database protections. Another breach this week involving a fax server used by Meditab Software Inc, a medical software provider based in Sacramento, CA, was discovered. Protections on the server were removed so that healthcare faxes became viewable in real time online. The server contained over 6 million records.

In February, UW medicine discovered that about 1 million records were exposed online because of a database misconfiguration.

These breaches emphasize the importance of having policies and procedures that ensure all servers and databases storing patient health data are monitored. This is to ensure the server is secure against unauthorized data access, particularly after software upgrades or patch application.

These aren’t only singled out incidents. In late 2018, Intsights, an enterprise threat management platform provider, suggested in a study that up to 30% of healthcare databases have been compromised over the internet.