May 162018
 

Common sense dictates that patients’ protected health information should not be made freely available on FTP servers that have no login required.  And yet it still happens, and has happened again.

Recently, this site learned of another FTP server exposing patients’ information. This particular  FTP server belongs to MedEvolve, an Arkansas company that provides practice management software. As we have seen in so many other leaks, this FTP server was set to permit anonymous login and had no banner telling people to keep out of the files with patients’ information.

No banner told people to stay out of the FTP server. No login creds were required, either.

The researcher who reported the leak to DataBreaches.net observed that a number of clients had files on the FTP server, and in all cases but two, the files were password-protected.

One of the two clients where no password or protection was deployed was Premier Urgent Care in Exton, Pennsylvania (there are a number of medical entities called Premier Urgent).

 

The sql database that was not secured contained more than 205,000 patient rows, the researcher reported.

The database contained more than 205,000 records.

More than 11,000 of the records reportedly included Social Security numbers.

A second MedEvolve client with exposed patient information on that FTP server was Dr. Beverly Held, a dermatologist in Corpus Christi, Texas.

 

Dr. Held’s files consisted of three .dat files. According to the screenshot the researcher provided this site, the files had last been modified on November 10, 2015. The researcher estimated that there were about 12,000 Social Security numbers exposed in the files.

On May 3, DataBreaches.net notified the two medical practices and MedEvolve.  At the request of Dr. Held’s staff, I also spoke with their outsource IT support firm.

That same day, the files were removed from public access.

And that was the last I heard until I started reaching out to them all again to ask what they had found and what they intended to do.  Dr. Held’s IT firm responded promptly to my inquiries and indicated that they were not responsible for the leak because this incident, if it occurred, predated their involvement with Dr. Held’s practice.  For every other question I posed, their answer was that MedEvolve was investigating.

Here are the questions I had/have for both entities and MedEvolve:

  • For how long were the Premier Urgent Care files exposed without any password required to access them?
  • For how long were Dr. Beverly Held’s patient files exposed without any password required to access them?
  • Were there access logs that showed how many times the patient data files may have been accessed and/or downloaded?
  • Whose responsibility was it to secure those files? MedEvolve? The clients’?
  • Will any patients be notified of this?
  • Will HHS be notified of this?
  • Did Premier Urgent Care and Dr. Beverly Held have business associate agreements in place with MedEvolve?
  • Did Premier Urgent Care and Dr. Beverly Held have risk assessments that included the files on this FTP server?
  • Why has not one person contacted me to ask what data/PHI I might be in possession of, or what data the researcher might be in possession of and would we destroy any data securely and provide an attestation to that data destruction?

DataBreaches.net did hear back from Matthew Rolfes, President & CEO of MedEvolve.  Rolfes thanked this site for alerting them, and wrote:

Our IT team, along with our healthcare lawyers, are aggressively investigating the situation. We have, and will, take any necessary steps in order to mitigate any adverse effects to the extent within our control.

We are also aware of HIPAA requirements applicable to Covered Entities and Business Associates in the event of a breach. Our company will comply accordingly.

I know you will understand that we cannot, on the advice of counsel disclose to you all aspects of the investigation.

There’s a big difference between not disclosing all and not disclosing anything. A little more transparency would be in order, I think.

So in any event, I am disclosing this incident on this site and we’ll see if/when it shows up on HHS’s public breach tool, either by MedEvolve or by one or both of the medical practices.

May 142018
 

So for a law firm, I would think this would be a really bad breach to have to disclose.

Mason Law Office in Sacramento sent a copy of their notification to the California Attorney General’s Office.  Their notification reads, in part:

What happened?

On or about May 5, 2018, we discovered evidence of unauthorized access to mycase.com by an unknown individual or group of individuals. It is unclear how this access was made since we have implemented all security measures offered by mycase.com. Client data was potentially accessed, client case information was deleted, and other administrative changes were made to the system. The extent of the information accessed will be thoroughly investigated by Mason Law Office, P.C. and mycase.com. You will be contacted if we discover any information specific to your case.

What Information Was Involved?

Generally, any information uploaded to mycase.com was potentially accessed, and information has been deleted. Information potentially accessed includes client names, social security numbers, driver’s license numbers, phone numbers, email addresses, as well as legally privileged/protected information, including legal documents, case notes, disclosures, financial statements, evidence, photos, invoices, transcripts, trust balances, and attorney-client communications. Please note, our standard procedure is to remove identifiable account information from financial statements, tax returns, and disclosure documents prior to uploading them into mycase.com. We also do not store payment information, such as credit card information used for payments into your trust account. No payment information given to us was ever put into mycase.com whatsoever. We use bank approved software for all payment transactions, which is highly regulated and secure.

May 132018
 

Questar Assessment, who has been named in about half a dozen posts on this site in 2018 already, makes the news again, it seems. Now Kayleigh Skinner reports:

The Mississippi Department of Education says local school districts are receiving student tests scores later than expected because the testing vendor didn’t submit them on time.

On Friday, executive director of the office of student assessment Walt Drane emailed superintendents, district coordinators and principals and said Questar Assessment Inc. — the testing vendor Mississippi uses to administer state tests — was supposed to provide third grade scores and scores for students who need them before graduation by the department of Education’s close of business, but the vendor “failed to deliver on their promise to provide these data files at the agreed upon time.”

[…]

This is not the first issue with Questar for the department — in January, 663 students in Tupelo and Jefferson County school districts were affected by a data breach involving the company. Those students make up less than one percent of all students who took the assessment, but the Mississippi Department of Education said in a release at the time that an “unauthorized user” viewed student records from students at some of those district middle schools.

Read more on Mississippi Today. It’s not clear whether Questar missing the contractual deadline had anything to do with any previously reported breach, but either way, this type of reputation hit cannot be good for them.

May 122018
 

Catherine Ho reports:

The personal information of nearly 900 patients of San Francisco General and Laguna Honda hospitals was breached after a former employee of one of the hospitals’ vendors got unauthorized access to the data, the San Francisco Public Health Department said Friday.

The data included patients’ names, dates of birth, medical record numbers and details of their medical conditions, diagnoses, treatment and care plans. It did not include Social Security numbers, driver’s license numbers or financial account numbers, according to officials with the health department, which runs the health network that includes the two hospitals.

The information of 895 patients was accessed between Nov. 20 and Dec. 9, and the patients involved have been notified, officials said.

Read more on SF Chronicle.  This was an insider-wrongdoing breach where an employee of their transcription service provider, Nuance Communications in Massachusetts, reportedly has also accessed patient information from other clients as well.  If the name “Nuance” sounds familiar, it may be because they lost almost $100 million in a NotPetya attack last year.

The following notice was posted on the San Francisco Public Health Department home page yesterday:

Vendor security incident: unauthorized access of medical record information
No evidence that personal information has been used for any purpose

SAN FRANCISCO (May 11, 2018) — The San Francisco Department of Public Health today informed 895 patients of a security incident involving personal information handled by a third-party medical transcription service. The transcriptions covered visits to the San Francisco Health Network, the Health Department’s system of hospitals and clinics.

The incident happened at Nuance Communications, a Massachusetts-based company contracted to provide medical transcription services. The information was accessed last year from November 20 to December 9. Notification to patients was delayed at the request of the FBI and the U.S. Department of Justice, pending their criminal investigation into the incident. The investigation determined that a former Nuance employee breached Nuance’s servers and accessed the personal information of thousands of individuals from several contracted clients, including the San Francisco Department of Public Health. The Justice Department has informed Nuance that it does not appear that any of the information taken was used or sold for any purpose, and that all of the data have been recovered from the former employee.

The information accessed included personal data such as name, date of birth, medical record number, patient number, and information dictated by the provider such as patient condition, assessment, diagnosis, treatment, care plan and date of service.

The incident did not include information such as Social Security number, Driver’s License number or financial account numbers.

“The San Francisco Department of Public Health is committed to maintain the privacy of our patients and takes its responsibility to address privacy incidents seriously,” said Roland Pickens, Director of the San Francisco Health Network.  “We sincerely apologize for any inconvenience or concern that this situation may cause. All of our vendors are required to attest to the protection of patient privacy, as part of their contract, and we continue to audit and improve upon that process.”

The San Francisco Health Network has sent a letter to all the affected patients, who were seen at Zuckerberg San Francisco General Hospital or Laguna Honda Hospital. The Health Department also has notified the California Department of Public Health and the California Attorney General.

San Francisco Health Network patients with questions can contact the Health Department’s Privacy Office toll free at (855) 729-6040 and reference “Nuance” or #2017-122 in the message.

May 092018
 

“I would like to tell you about something, but could you keep my name out of it?” That’s how so many of my investigations begin these days – with a request to protect the identity of independent researchers who want to be helpful but are afraid that they will wind up getting raided or hassled like Justin Shafer has been. I agreed to try to keep this researcher’s name out of it all, and they told me how a newborn photography service, Mom365, seemed to have babies’ photos too easily accessible from their server.

If you just input random 6-digit “guest access codes” the researcher told me, you might retrieve web pages with a baby’s first name, the parents’ first names, the baby’s date of birth, the hospital where the baby was born, and their height and weight.  And oh yes, you could see some adorable newborn pictures, although some of the web pages no longer had the newborn pictures available.

Newborn’s picture and information were still available online if you guessed the 6-digit code. Redacted by DataBreaches.net.

The information might not be enough by itself to commit identity theft, the researcher told me, but it was enough to start socially engineering either the hospital or the parents for more information. And that was the researcher’s main concern: there was enough information too readily available that could be used to support social engineering schemes.

A quick check/test confirmed the claims about how easy it was to retrieve pages with personal information. I was finding pages from more than 10 years ago, and some pages still had the babies’ pictures available with their names, parents’ names, date of birth, name of hospital, and height and weight.

So I started looking at Mom365’s web site, and the first thing that struck me was that I had absolutely no firm sense of whether they would be a business associate (BA) under HIPAA or not.  My non-lawyerly impression was that they were likely  a vendor and not a BA, but if the hospital provided them with the mother’s name and the fact that she just had a baby, didn’t that put them in possession of protected health information (PHI)? And if so, didn’t they need to be a BA to receive that information? So maybe they were a business associate? I was definitely confused.

At that point, I reached out to one of the hospitals whose name had turned up as using Mom365  (Kaiser Baldwin Park) to see what they would say about whether Mom365 was a vendor or a BA to them. And of course I also reached out to Mom365 to alert them to the concern.

Adam Greene of Davis Wright Tremaine, external counsel for Mom365, responded to my notification and inquiry to the photography service.  Let’s start with his explanation of Mom365’s business arrangements with hospitals.

According to Greene, Mom365 enters into one of two types of business models with hospitals. In the first model, the hospital obtains a HIPAA authorization before disclosing limited information to Mom365. The limited information (e.g., mother’s name, room number, and the fact that the mother delivered a child) is provided to Mom365 so that Mom365 can offer newborn photography services. The hospital only provides that information to Mom365 if the mother first signs a HIPAA authorization. In this model, all of the information that Mom365 collects would then be outside of HIPAA.

The second model is that Mom365 is a business associate of the hospital for the limited purpose of obtaining the initial HIPAA authorization. This is analogous to guidance in the research setting, Greene explained, where a researcher can be a business associate for the limited purpose of obtaining authorizations for disclosure of protected health information for the research. In this model, the hospital provides the limited information about new mothers to Mom365 for the sole purpose of Mom365 seeking authorizations. Mom365’s policy is that the Mom365 employee would contact the new mother and ask if she would like to sign a HIPAA authorization authorizing the Mom365 employee to provide information about the newborn photography services. If the mother signs the HIPAA authorization, then the Mom365 employee then provides information about the newborn photography services. If the mother chooses not to sign the authorization, then the Mom365 employee leaves without providing information about the newborn photography services. Under this model, then, Mom365 is acting as a business associate solely for purposes of offering a HIPAA authorization, and is not a business associate or subject to HIPAA after execution of the HIPAA authorization, when Mom365 is providing information about its newborn photography services or delivering the service on its own.

No wonder I was having trouble figuring out whether Mom365 would be a business associate or not under HIPAA. There was more than one model. Thankfully, though, I had also reached out to two HIPAA lawyers who helpfully offered their opinions.

Three Professionals, Four Opinions

Prior to my conversation with Adam Greene, I had sent some information to Jeff Drummond of Jackson Walker that was based on Mom365’s web pages and site. I had asked Jeff whether he thought that this would be a BA situation or not.  Jeff had initially opined that he saw it as an open issue as to whether there would be a BA relationship or not.  But when I asked him about any liability for photos and information that was not rigorously secured despite the service’s claims, he replied:

The photography company seemed to say all the right things, so I think it’d be hard to blame a hospital for not knowing they weren’t providing appropriate protections. But once the hospital has reason to know something is up, they have responsibility to make sure the photo company fixes things, or they must terminate the relationship. The hospitals also need to consider whether they have a reporting obligation, either under HIPAA or state law; even if they don’t, they probably want to report it anyway. The photo company may have a state-law obligation to report a data breach, unless they can audit access and determine that your tipster was the first and only person to discover the password taxonomy. They certainly need to fix the problem, though.

Keep in mind that Jeff offered that statement before we had any response from Mom365’s counsel, but it still is food for thought. If you accept Greene’s explanation of the models, are there any reporting requirements for this type of situation and what responsibility(ies) do the hospitals have?

Matthew Fisher of Mirick, O’Connell, DeMallie & Lougee also shared his thoughts about the business associate question after reviewing what Greene told DataBreaches.net about the two models. In an emailed statement to DataBreaches.net, Matt wrote, in part:

Under either model, it looks like the argument is being made that a HIPAA authorization is needed for purposes of marketing a service. In model 1, the hospital needs the authorization, which ostensibly would be an authorization allow marketing, although it would really be an authorization to allow immediate transmittal of information to the outside company that would then directly market its services. It is nearly similar in model 2, where the hospital is just not acting as the middleman, but enabling Mom365 to come in directly and seek the authorization to then in turn market the services.

I think the argument is running a fine line and question if the authorization contemplated is really one covering marketing, whether the financial benefit that could accrue to Mom365 is disclosed, and how/when the new mothers are approached.

Going with the idea that the authorization is for marketing purposes, I can see how Mom365 falls outside of HIPAA. It may not be readily apparent to the new mothers though. If there is confusion, that could come back on the hospital as a hit to its reputation.

[…]

Leaving aside the potential HIPAA implications, it just seems like a bad business practice to make information about newborns along with a picture easily obtainable. Having weak security in such a scenario given all of the attention on maintaining privacy does not seem like a good idea.


Matt has also written his own blog post about how some hospitals’ legacy nursery pictures are still online, and how that is Not a Good Idea At All. You can read his post here.


In response to Matt’s analysis of Mom365, Jeff wrote a lengthy analysis that gives us even more food for thought as he suggests that a marketing analysis overshoots the mark:

“Marketing means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” 45 CFR 164.501. Does the hospital letting the mothers know that the service is available “encourage” them to purchase or use? Maybe, maybe not. If not, then it’s not an issue. It’s also not marketing if it’s a service the hospital itself provides (presumably either directly or through a subcontractor [“under arrangements,” if you will]), which would seem to make scenario 2 entirely non-marketing.

I’m omitting Jeff’s analysis of Scenario 1 for now, even though it’s fascinating, to focus on Scenario/Model 2:

In Scenario 2, we start the same: the hospital uses mom’s PHI (“hey, you just had a baby”) to let her know about Mom365; it may or may not be marketing, but we don’t need an authorization anyway, so we’re good to go. So far. We told mom, she’s interested. However, now, instead of getting mom’s authorization to provide her PHI to Mom365, the hospital gives a little bit of mom’s PHI to Mom365, so that Mom365 can contact mom and get an authorization. Here, you’ve got the hospital disclosing mom’s PHI to Mom365. The hospital does not have mom’s authorization. But, according to Adam, Mom365 is a “business associate” of the hospital. So, presumably, Mom365 is providing a service to or on behalf of the hospital. OK, I guess the hospital could have its own photography department, and instead it’s hired out Mom365 to do the work. Fair enough, but the hospital needs a BAA with Mom365 that covers this disclosure and correlates to Mom365 providing a service to the hospital, as opposed to providing the service directly to mom. If there’s a BAA in place, this is probably OK; however, I bet there isn’t one. I don’t know why Adam [Greene] would analogize to the research situation here: in the research situation, the researcher is definitely not working for the hospital, but rather for an outside research entity, but is still allowed to access the hospital’s PHI files to find potential research candidates. I see how the theory works here (researchers are looking for patients who would be good in their clinical study, photographers are looking for proud parents who want baby pix), but research and baby photos are not the same thing (social utility arguments notwithstanding), and research gets special protections while baby photos don’t.

And NONE OF THIS IMPACTS THE REQUIREMENTS THAT MOM365 HAVE REASONABLE ADMINISTRATIVE, PHYSICAL AND TECHNICAL SAFEGUARDS TO PROTECT THE CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY OF THE PHI. The hospital may be in the clear if it had the BAA in place in scenario 2, and seems generally in the clear in scenario 1, but Mom365 is not if it failed to protect confidentiality and data security.

There’s a lot to process there. And it’s clear that Jeff Drummond isn’t persuaded by Adam Greene’s rationale and argument.

DataBreaches.net is extremely grateful to both Jeff Drummond and Matt Fisher for sharing their insights into these issues.  This would have made for a great panel at some conference to figure out whether HIPAA applies and if so, how.  But of course, my original concern was whether these babies’ and families’ information is being adequately secured. It seemed to me that it wasn’t, so I asked Adam Greene for a follow-up as to what Mom365 was doing now that they had been made them aware of the issue. Mom365 sent the following statement:

Mom365 is very appreciative that this website issue was brought to our attention. We have changed authentication requirements on the website to address this, and in the coming weeks will delete certain older web pages of our users. At Mom365, we strive to best balance information security with the best user experience for the new mothers and their family and friends. We are going to continue to do our best to ensure that information is secure, while also easily accessible to authorized family and friends.

They did not answer my question as to whether this would be reported to any federal or state regulators, but if I find out more, I will update this post.

Kaiser Baldwin Park and Kaiser Permanente’s national media coordinator did not respond to this site’s inquiries about what they were doing after having been made aware of the issue. Nor did Baldwin Park ever provide a response to the question of whether they had a BAA in place with Mom365 or not. While Kaiser Permanente and Kaiser Baldwin Park are obviously not the only hospitals that made some arrangement with Mom365, I am somewhat surprised that they have not responded more transparently to this site’s questions, as I have found KP to be very forthcoming in response to breach or privacy-related inquiries in past incidents.

Great thanks to the independent researcher who contacted me with this issue. This may not be the most serious or worrisome breach that I’ve covered this year, but it’s a great reminder that hospitals need to pay attention to what their vendors or business associates are doing.