The data of 918,000 patients who provided their sensitive information to HealthNow Networks, a Boca Raton, FL-based telemarketing organization that used to provide medical supplies to seniors, has been exposed online for many months.
The data were discovered by an individual with the Twitter handle Flash Gordon after he conducted a search for unprotected data on the search engine Shodan. The data had been stored in an unprotected root folder on an Amazon Web Service installation owned by a software developer who had previously worked on a database for HealthNow Networks. The project was abandoned long ago although the data provided to the developer were not secured and could be accessed online.
The database contained a range of highly sensitive data including individuals’ names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, health insurance information and medical conditions. The data had been collected by the telemarketing firm and individuals had been offered discounted medical equipment in exchange for providing the firm with their data.
The data breach was investigated by ZDNet and Databreaches.net, who contacted AWS to report the exposure of sensitive data. Amazon made contact with the software developer who removed the data. ZDNet/Databreaches.net also managed to contact the owner of HealthNow Networks – which is no longer in business – and the software developer, both of whom confirmed the database has now been deleted.
While the data are no longer accessible online, the investigation revealed that many of the individuals whose data were exposed had their email addresses listed on the Have I Been Pwned website, suggesting the database may already have been accessed and downloaded and used for spamming and fraud. However, the logs detailing who accessed the data were not provided to ZDNet/Databreaches.net.
The data breach has now been reported to the FTC, FBI and other law enforcement agencies. The report of the breach and investigation can be viewed on Databreaches.net and ZDNet.
Affected Individuals May Not be Notified
The database contained a number of data elements that are included in the HIPAA description of protected health information (PHI).
The Health Insurance Portability and Accountability Act’s Breach Notification Rule requires HIPAA covered entities to notify patients of any breach of their protected health information (PHI). However, HIPAA only applies to HIPAA-covered entities and their business associates. Individuals whose information has been exposed will not necessarily be notified of the breach of their information as telemarketing firms are not HIPAA-covered entities.
Non-HIPAA-covered entities are required to issue breach notifications, although only under state laws. Many states have now introduced data breach notification laws to protect residents in the event of a breach of their sensitive data by non-HIPAA-covered entities, although gaps exist.
Only 47 states have introduced data breach notification laws, and the definitions of ‘personal information’ that warrant notifications to be issued differ state by state. Residents in Alabama, New Mexico, and South Dakota have yet to introduce breach notification laws so residents may not be notified of data breaches.
Whether individuals affected by a data breach will be notified depends on which company has experienced a data breach and where affected individuals live in the United States. Even if health data is exposed or stolen, breach notifications may not be issued.
The post 918,000 Patients’ Sensitive Information Exposed Online appeared first on HIPAA Journal.