PHI of 42,000 Patients Exposed Due to Server Misconfiguration

Patients Exposed Due to Server Misconfiguration

The protected health information of 42,000 patients of a New York medical practice was exposed online because of a misconfigured server. A security researcher discovered the problem by accessing the data but it is not known if others have accessed the data.

Chris Vickery, director of cyber risk research at Upguard discovered the server misconfiguration on January 25, 2018. He explained in his March 26 blog post that the exposed port was often used for remote synchronization (rsync). Because of the misconfiguration, instead of just limiting access to specific whitelisted IP addresses, anyone who knows the server’s IP address was able to access the data.

There were a few exposed sections in the repository. One was named backupwscohen, which was accessible to the public. It contained files with highly sensitive information. Another was a virtual hard drive that contained the details of staff such as spouse details, names of children and Social Security numbers (in some cases). The Outlook pst file, which contained a huge amount of email communications was also accessible. There was also a database that contained the information of 42,000 patients including names, birth dates, addresses, phone numbers, email addresses, health insurance information, Social Security numbers, ethnicities and clinical notes with over 3 million observations.

Vickery found that the accessible information came from the Huntington, New York medical practice of Cohen, Bergman, Klepper & Romano MDs’ PC. Vickery had several attempts of contacting the doctors since February 12 to tell them about the data breach. He tried contacting them directly, via the local hospital and even through But it was only on March 19 that the physicians received the message and took action to secure the server. All patients’ PHI has been secured.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: