A central Texas clinic, Lone Star Circle of Care of Georgetown, has learned that a backup file containing the personal information of 8,700 individuals has been available through the community health center’s website for a period of six months, during which time it was accessed on a number of occasions by unknown individuals. The file was created on 31st July 2014; however the data breach was not discovered until 9th January 2015.
The breach has been attributed to the actions of an individual employed by a company tasked with designing, maintaining and securing the website. That person had accidentally generated a backup file which was subsequently placed in an unsecured folder accessible to the public via the Lone Star website.
No direct link to the file was posted online, although the file was accessible through the website search facility and could be downloaded in full by anyone able to locate it. The file was not secured with a username or password and at this stage is not clear how many individuals were able to download the data.
LSCC has confirmed that no medical information was present in the data file as this information is securely stored elsewhere. The only data exposed was that which had been entered via the patient portal on the website, which included contact information and messages sent to LSCC staff. While the website does allow payments to be taken using credit cards, this information is not stored anywhere online and was therefore not accessible at any point.
The full text of any messages sent to the healthcare provider along with contact information such as names, addresses, email addresses and phone numbers was saved in the backup file. A limited number of individuals also had their dates of births exposed, but only five people’s full or partial Social Security numbers were included.
LSCC believes the data breach has affected approximately 6,300 patients who had used the form to make refill requests, arrange call backs or make appointments, the latter being the most common request by far. Approximately a third of the enquiries were from non-patients such as businesses and job seekers.
In accordance with HIPAA Breach Notification Rules, LSCC has advised all individuals of the breach – by post or email if no valid address was entered – as well as the actions the organization has taken to reduce the risk of a similar incident happening in the future. Further information on how to activate the Equifax fraud protection services the company is providing was also detailed in the notification.
An external company was employed to conduct an investigation into the cause of the breach although it took a number of weeks for the forensic analysis to be conducted and for LSCC to discover exactly who had been affected. The breach notifications were further delayed as the healthcare provider had to arrange credit monitoring services and have all information translated into Spanish. Under HIPAA Rules breach notifications must be issued within 60 days of discovery of a data breach, and LSCC was able to send the notifications well ahead of the deadline.
LSCC has posted brief details of the breach on its website along with further information for anyone who is concerned that they may have been affected.