Long Island provider exposes data of 42,000 patients in misconfigured database

Cohen, Bergman, Klepper, Romano MDs left an online database open to the public, containing apparent backup data of patient files that included 3 million clinical notes.
By Jessica Davis
12:45 PM
Share
healthcare data breach

Long Island-based Cohen, Bergman, Klepper, Romano MDs misconfigured its online database, exposing the personally identifiable information of about 42,000 patients. 

Misconfigured databases are a continued issue for the healthcare industry. The exposed data doesn’t require a hacker to inflict the damage. In fact, Gartner estimates that about 70 to 99 percent of these breaches are caused by internal misconfiguration.

On Jan. 25, UpGuard Security Researcher Chris Vickery discovered an exposed port on an IT system. The 873 port is used for remote synchronization, or rsync utility, that copies data from one machine to another. Typically, an IT team would secure access by implementing the host’s allow/deny feature. But the provider failed to incorporate the specific IP addresses allowed to access the server, thus “the repository was exposed to anyone who happened across it,” according to Vickery.  

[Also: The biggest healthcare data breaches of 2018 (so far)]

Many cybercriminals actively scan for these types of misconfigurations so there’s a clear risk of both exposure and the data being used for medical fraud. 

The database contained a wide range of patient data including names, Social Security numbers, dates of birth, insurance information, phone numbers, addresses and other personal data. It also contained more than 3 million clinical notes from patient visits. Extensive data on the provider’s staff, including addresses and even their children’s names, were also exposed. For one family, in fact, all Social Security numbers were exposed.

UpGuard made repeated efforts to alert the impacted clinic of its misconfigured database. But it took those providers almost two months to secure the data on March 19.

“The prolonged exposure of this information despite this, speaks to the vital urgency of implementing a durable process for use in acknowledging a breach disclosure and remediating the issue,” Vickery wrote. “Empowering personnel with directions on how to respond to news of a data exposure protects both the enterprise and any individuals whose information may be leaking.”

Gartner recommended that the issue of misconfigured databases can be mitigated by better internal policies for an organization’s IT infrastructure. 

Cohen, Bergman, Klepper, Romano MDs did not respond to a request for comment as of publication time.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com