Affiliated Santé Group learned that patient info was exposed on GitHub for years

So there was another breach disclosed in January that I didn’t find out about until today. It’s an insider-error situation involving a software developer contractor who unintentionally exposed protected health information (PHI) of 550 patients on GitHub – for more than five years.

Here is Affiliated Santé Group’s notification:

January 30, 2017
RE:      Notice of Data Breach

The Affiliated Santé Group recently discovered an incident that may affect the security of your personal information. Although we have written letters to all those we have identified that may have been affected by the incident, we are providing this information on our website in case you were involved and did not receive the letter.  This posting is to provide those persons with information about the incident, steps taken since discovering the incident, and information on what you can do to better protect against the possibility of identity theft and fraud.

What Happened? On December 5, 2016, we became aware of a breach of personal health information. We believe that the duration of the information exposure was from sometime in April of 2011 until December 5, 2016. We believe that the individuals involved were serviced by our Eastern Shore Crisis Response Services.

The incident involving the protected health information was that a former software development contractor, without authority or permission, made use of a website known as Github in order to store and work on software source code that was being developed for our electronic medical records. The software developer intended to post only the software source coding but inadvertently left the protected health information, in coded format, where it could have been accessed by others.

To the best of our knowledge none of the information has been accessed or used in a detrimental manner. We are aware of the information being accessed only once by an academic who immediately informed us and destroyed the data in their possession. The information was taken down from Github on December 5, 2016 and the contractor terminated. The Affiliated Santé Group has not identified any misuse of personal information from this breach. We are notifying affected individuals in as timely a manner as possible so you can take personal action along with our Company’s efforts to reduce or eliminate any potential harm.

What Information Was Involved? The personal information involved, depending on the person, may have included name, address, phone number, social security number, date of birth, employment status, health insurance information, emergency contact information, a case identification number, family information, physician information, health information, and case status information.  No credit cards or financial institution information was involved. The information was over five years old at the time we discovered the incident and we believe that has been not been any access or use of the information in a detrimental manner.

What We Are Doing. We take this incident and the security of your personal information very seriously. The Affiliated Santé Group has taken the following actions to prevent your personal information from further harm:
• Initiated a security investigation;
• Forced the contractor to take down from any and all accessible websites all such personal information;
• Cancelled all contracts with, and terminated, the contractor.
• We are also notifying certain federal and state regulators of this incident.

What You Can Do. We recommend immediate steps be taken to protect yourself from any potential information breach harm:
a) Register a fraud alert with the three credit bureaus listed here; and order credit reports:
• Experian: (888) 397-3742;; PO Box 9532, Allen, TX 75013;
• TransUnion: (800) 680-7289;; Fraud Victim Assistance Division, PO Box 6790, Fullerton, CA 92834-6790;
• Equifax: (800)525-6285;; PO 740241, Atlanta, GA 30374-0241;
b) Monitor account statements, EOBs, and credit bureau reports closely;
c) For Information to avoid identity theft:
• Contact the Federal Trade Commission;;
• Contact the Maryland Office of the Attorney General;

For More Information. You may confidentially contact us with questions and concerns in the following ways: calling our Corporate Compliance Office at our toll-free number (844) 510-3639 between the hours of 9:00 a.m. and 5:00 p.m.; sending an e-mail message to [email protected]; addressing a letter to our postal address, Melissa Quick, Corporate Compliance Officer, Affiliated Santé Group, 12200 Tech Road, Suite 330, Silver Spring, MD 20904.

We understand that this may pose an inconvenience to you. We sincerely apologize and regret that this situation has occurred. The Affiliated Santé Group is committed to providing quality care, including protecting your personal information, and we want to assure you that we have policies and procedures to protect your privacy.

About the author: Dissent

Comments are closed.