Cerebral Palsy Research Foundation of Kansas Breach Exposed 8,300 Patients’ PHI

Cerebral Palsy Research Foundation of Kansas (CPRF) discovered on March 10, 2018 that the security protection of one of its databases was removed for 10 months. This vulnerability resulted in the exposure of the protected health information (PHI) of 8,300 patients. Upon discovery of the unsecure demographic database, CPRF took immediate action to secure it.

An investigation of the incident showed that the database was created on a secure subdomain way back in 2000. However, when CPRF switched servers in 2017, there was a failure in identifying the database hence removing if security protection. During the period when the database was insecure, unauthorized individuals possibly accessed the PHI of patients.

There was limited personal information and PHI associated with the patients’ type of disability exposed during the breach. There was no exposure of financial information or donor information. The patients who were potentially affected by the breach include those who visited CPRF from 2001 to 2010 for services.

It is not clear if unauthorized persons indeed accessed the exposed PHI during the time the unsecured database was left open. But CPRF offered one year free credit monitoring and identity theft protection services to all individuals affected by the breach.  CPRF also took steps to mitigate the risks in response to the investigation. All domains, subdomains and databases underwent a complete audit to check if there are existing vulnerabilities. To avoid the same error from happening again, data security policies as well as other policies and procedures regarding employee transitions were reinforced. The services of a third-party expert were also contracted to conduct vulnerability scans and penetration tests regularly.

Cerebral Palsy Research Foundation of Kansas (CPRF) discovered on March 10, 2018 that the security protection of one of its databases was removed for 10 months. This vulnerability resulted in the exposure of the protected health information (PHI) of 8,300 patients. Upon discovery of the unsecure demographic database, CPRF took immediate action to secure it.

An investigation of the incident showed that the database was created on a secure subdomain way back in 2000. However, when CPRF switched servers in 2017, there was a failure in identifying the database hence removing if security protection. During the period when the database was insecure, unauthorized individuals possibly accessed the PHI of patients.

There was limited personal information and PHI associated with the patients’ type of disability exposed during the breach. There was no exposure of financial information or donor information. The patients who were potentially affected by the breach include those who visited CPRF from 2001 to 2010 for services.

It is not clear if unauthorized persons indeed accessed the exposed PHI during the time the unsecured database was left open. But CPRF offered one year free credit monitoring and identity theft protection services to all individuals affected by the breach.  CPRF also took steps to mitigate the risks in response to the investigation. All domains, subdomains and databases underwent a complete audit to check if there are existing vulnerabilities. To avoid the same error from happening again, data security policies as well as other policies and procedures regarding employee transitions were reinforced. The services of a third-party expert were also contracted to conduct vulnerability scans and penetration tests regularly.

CPRF already sent breach notification letters by mail to all individuals affected by the incident and submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights.

CPRF already sent breach notification letters by mail to all individuals affected by the incident and submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights.