Capital Digestive Care, gastroenterology group based in Silver Spring, Maryland, found out the mistake made by its business associate. It seems that the BA uploaded data files to a commercial cloud server which does not have the necessary security setting. This lead to the exposure of 17,639 patients’ protected health information (PHI).
Capital Digestive Care knew about the exposure of patients’ sensitive data on the internet on February 23, 2018. Right away, CDC took action to protect the data files and stop access by unauthorized people. Investigators examined the patient privacy breach to understand what kinds of data were compromised and who were the patients impacted by the data breach.
Based on the investigation results, certain sensitive data were compromised. However, only the patients who visited the contact pages of the website or sent in their details via the Schedule a Visit page were affected. Compromised data was restricted to the names of patients, dates of birth, home addresses, email addresses and telephone numbers. Some patients also had a limited quantity of health data exposed. There were no compromise of financial information because the Pay a Bill pages and login page to the patient portal were not impacted by the problem. All patient accounts, electronic health records and Social Security numbers remained secure.
There was no clear information in the investigative report concerning how long the patient data was compromised. Additionally there is no report on how many unauthorized individuals had accessed the patient records. Nevertheless, to date, Capital Digestive Care has not received yet any report that indicate the improper use of the compromised data by unauthorized individuals.
Capital Digestive Care took the required action in order to avoid identical breaches from occurring again. Concerning third-party vendors, it is now mandatory to ensure that they are complying with the HIPAA Security Rule, specifically when utilizing cloud storage for private information. Patients whose data has been exposed were already advised through mail. Information on how to safeguard and keep track of the patients’ personal data is likewise provided in the notification letters.