Capital Digestive Care patient data exposed by vendor error

Sometimes by the time a notification appears on a state breach notification site, I’ve forgotten whether I ever reported it or not. Case in point: Capital Digestive Care in Maryland.  I knew about it on February 22, and helped make the notification to them to get them to investigate it (it turned out to be a third-party incident involving LMO).  But at the time,  and even though I reported on it, I had no numbers for my monthly statistics and it had not been reported to HHS. On April 23, CDC’s external counsel reported the incident to the New Hampshire Attorney General’s Office.  We still don’t have numbers for this one, as it’s not on HHS’s breach tool at this time,  but here’s their report:

Here’s what you didn’t know about health data breaches in February

Protenus, Inc. has released its February Breach Barometer,  with its analysis of 39 health data incidents compiled for them by this site. As I have done in companion posts to their previous reports, I am providing a list, below, of the incidents upon which their report is based. Where additional details are available, I have linked to them.  In some cases, as in past months, the only information we have is what HHS has posted on their public breach tool (referred to by some as the “Wall of Shame”). Because HHS’s reporting form results in ambiguous reports, some incidents reported to HHS wind up being coded as “UNKNOWN” for breach vector in Protenus’s analyses.  Similarly, HHS’s form does not seem to result in accurate estimates of the role of third parties or Business Associates, and Protenus’s report contains more reports involving third parties than HHS’s list would suggest or indicate. Unlike previous months’ reports, though, you will see four “nonpublic” incidents in this month’s tally.  I will be discussing those four incidents later in this post, but let’s start with a few of the highlights from Protenus’s report for February:  39 incidents, with details for 28 of them; 348,889 records for the 28 incidents for which we had numbers; 16  Insider incidents, accounting for  177,247 records: 15 out of 16 were insider-error, and 1 was insider-wrongdoing;  13 Hacking incidents, accounting for 160,381 records; 11 Business Associate/Third Party incidents; and 23 of the 39 incidents involved providers. See their report for additional statistics and analyses, including their analyses of gap to discovery of breaches and gap to reporting/disclosing of breaches.  Here is the list of the 39 incidents compiled for February: California College of the Arts Capital Digestive Care  (Non-public, see notes below this list) CarePlus Center for Sports Medicine and Orthopedics (reported to HHS, no other details) City of Detroit City of Houston Coastal Cape Fear Eye Associates ConnectiCare (reported to HHS, no other details) Eastern Maine Medical Center Eduardo Montana of Children’s Cardiovascular Medicine, P.C. Engle Martin FastHealth Flexible Benefit Service Corporation Forrest General Hospital Jemison Internal Medicine, PC Leon County Schools Memorial Hospital at Gulfport Mercy Love County Hospital and Clinic Missouri Department of Mental Health Numera (Non-public, see notes below this list) Partners Healthcare QuadMed (3 reports filed with HHS) Rhode Island Executive Office of Health and Human Services 1095B (reported to HHS, no other details) Rhode Island Executive Office of Health and Human Services SNAP  (reported to HHS, no other details) Ron’s Pharmacy Services RoxSan Pharmacy  RxValet (Non-public, see notes below this list) Santa Cruz Biotechnology, Inc. ShopRite St. Peter’s Surgery & Endoscopy Center Triple-S Advantage, Inc. Tufts Associated Health Maintenance Organization, Inc. University of Virginia Health System Ventiv Technology Walmart White and Bright Family Dental Unnamed Public School District (Non-public, see notes below this list) Previously Unreported Incidents Capital Digestive Care:  On February 22,, acting upon a tip from a researcher, contacted CDC to notify them that they had an Amazon bucket leaking patient data without any login required. Some of the data included patient inquiries through their web site with patients’ name, address, phone number, date of birth, and some details or reason for inquiry or appointment request. It appears that the bucket was administered for them by LMO, but neither CDC nor LMO have as yet issued any detailed statement explaining the incident.  On February 24, CDC sent this site a statement: Until we have a full understanding of the situation, we are unable to comment. Like many companies, Capital Digestive Care contracts with 3rd party vendors for the management of its website. Those vendors are contractually obligated to maintain the security of sensitive information related to our organization. At this time, we are awaiting their full assessment. They have provided the below statement: “LMO takes data privacy and cybersecurity seriously. LMO was notified of the situation and is currently investigating. We have no further comment at this time.” They have issued no additional statement since then. At this time, then, we do not know the number of patients who had their data left exposed, we do not know how many had their data actually downloaded, and we do not know if this has been reported to HHS or any regulators (yet). There does not appear to be any statement on Capital Digestive Care’s web site at this time, nor on LMO’s. BlueLibris  One of the more frustrating incidents uncovered in February involves a wearable device that can trigger an alarm to a central service if a patient or subscriber needs medical assistance. was contacted by a researcher who found a misconfigured MongoDB installation that was leaking what appeared to be a combination of production and development data for BlueLibris. reached out to Nortek, and getting no response, also attempted to reach Numera, sending them a notification and asking them to get in touch. Neither Nortek nor Numera ever responded, although the data appear to have been subsequently secured.  Here are some snippets of data in the exposed files, where “sub” presumably refers to “subscriber” to the service: } “Spoke to sub she stated she had fallen around 1pm and her device never signaled in. Then We did receive a signal at 5 tried to call subs home no answer , phone # was wrong. Sub has updated her Home #”, Spoke with sub [redacted by] he requested to disable the fall detector feature on his MSD device. Explained to him the risk of doing so and he agreed. Fall detector disabled.”, “_cls” : “PatientAgentNote” } Sub has a tingle in her face starting under her jaw going into her face. Requested assist. I spoke to Cathy from Mennonite Manor she is sending help. Reassured sub help is on the way.”, “_cls” : “PatientAgentNote” } Because no one ever responded to notification attempts, notes that it is not certain that there were real patient/subscriber data, but at least some of the entries appeared to be genuine (e.g., Mennonite Manor is a […]