Database Security of Cerebral Palsy Research Foundation of Kansas Was Disabled Exposing the PHI of 8,300 Patients


On March 10, 2018, Cerebral Palsy Research Foundation of Kansas (CPRF) found out that the security defense of one of its databases was disabled for 10 months. This vulnerability led to the compromise of 8,300 patients’ protected health information (PHI). After knowing about the unsecure demographic database, CPRF performed the necessary action to secure the database immediately.

An investigation of the data breach revealed that the database was made on a protected subdomain in 2000. But, when CPRF moved servers in 2017, there seemed to be a failure in identifying the database therefore removing its security defense. Over the period of time when the database was not secure, unauthorized persons potentially viewed the PHI of patients.

There was minimal personal data and PHI linked to the patients’ type of disability compromised during the data breach. Financial details or donor information was not exposed. The people who were most likely impacted by the breach consist of those who went to CPRF for services from 2001 to 2010.

It isn’t certain if unauthorized people really accessed the compromised PHI in the period the unsecured database was left accessible. But CPRF offered all persons affected by the data breach one year complimentary credit monitoring and identity theft protection support. CPRF likewise took action to minimize the potential risks as a reaction to the investigation. A complete audit of all domains, subdomains and databases was performed to see if vulnerabilities exist. To prevent a similar mistake from occurring once again, data security guidelines along with other policies and procedures pertaining to employee changes were implemented strictly. The assistance of a third-party expert had been contracted as well to carry out vulnerability scans and penetration tests on a regular basis.

CPRF already delivered breach notification letters via postal mail to all people impacted by the incident and reported a breach notice to the Department of Health and Human Services’ Office for Civil Rights.