Capital Digestive Care, an MD-based gastroenterology group in Silver Spring, discovered the error that its business associate did. Apparently, the BA uploaded files to a commercial cloud server that do not have the required security controls. This resulted in the protected health information (PHI) exposure of up to 17,639 patients.
Capital Digestive Care became aware of the availability of the sensitive data of patients online on February 23, 2018. Immediately, CDC took steps to secure the files and prevent access by unauthorized persons. The privacy breach was investigated to know what types of information were exposed and who were the patients affected by the breach.
According to the result of the investigation, some sensitive data were exposed but it was limited to the patients that visited the website’s contact pages or submitted their information using the Schedule a Visit page. Exposed information was limited to the patients’ names, email addresses, home addresses, telephone numbers and dates of birth. A limited amount of health information of some patients may have been exposed also. No financial information was exposed since the login page to the patient portal and Pay a Bill pages were not affected by the error. Patient accounts, Social Security numbers and electronic health records are all secure.
The investigative report did not provide any clear information regarding the length of time when patient data was exposed. There is also no information on the number of unauthorized persons that accessed the patient files. But, so far, Capital Digestive Care hasn’t received yet any report that suggest the misuse of the exposed information by unauthorized persons.
Capital Digestive Care has made the necessary action to prevent similar breaches from happening again. Regarding third-party vendors, it is now required to make sure that they are in compliance with HIPAA Security Rule, in particular when using cloud storage of personal data. Patients whose information has been compromised had been notified by mail. Information on protecting and monitoring the patients’ personal information is also included in the notification letters.