Vendor error causes major patient record leak at New York hospital
Tens of thousands, and possibly up to millions, of patient records at Bronx-Lebanon Hospital Center in New York City were exposed in a recent data breach, according to the Kromtech Security Research Center, which uncovered the records on May 3. The records were part of a backup managed by iHealth Innovations, the research center said.
The cause of the breach appeared to be a misconfigured rsync backup, the research center said. Rsync is a utility for transferring and synchronizing files across systems, checking the timestamp and size of files, and typically is used for synchronizing files and directories between two different systems.
Bronx-Lebanon Hospital Center and iHealth Innovations did not immediately respond to requests for comment.
“By now, you may be tired of reading reports on misconfigured MongoDB installations or rsync backups,” a DataBreaches.net blogger going by the name Dissent wrote. “It’s almost as if no one is listening to any of the researchers begging entities to secure their data. How many MongoDB servers have to be totally wiped out or ransomed before more people start checking whether they left port 27017 open? How many more nude photos of patients or ultrasound images will be exposed because of misconfigured Rsync backups?”
Kromtech Security Research Center and the blogger contacted Bronx-Lebanon and iHealth, and the blogger reported that the data then was secured. The hospital told the blogger it had no further comment at this time.
“So no, we didn’t get to the question of whether any business associate agreement was in place and how the hospital evaluated their vendor’s data security or whether the vendor even needed all that personal and confidential medical information to do its job for the hospital,” the blogger wrote. “The records contained a lot of sensitive medical information in addition to personally identifiable information. Some may be shocked by the amount of detail in the records. Do you really want all these hospital records exposed on the Internet because of a vendor’s error? Do you even want a vendor to have all this sensitive information?”