Dedicated server hosting three medical practices hacked; some patient information exfiltrated to Gmail account
Several medical groups in Massachusetts were notified by their hosting service, Clearpoint Design, Inc., that a dedicated server on Hosting.com was hacked on October 18, 2012. The practices affected were South Shore Medical Center, who notified 4,100 patients, Harbor Medical Associates, P.C., who notified 4,343 patients, and Child & Family Psychological Services, Inc., who notified 7,250 patients. The numbers were reported in an update to HHS’s breach tool today.
The types of data exposed varied by organization.
In their notice of January 3, South Shore Medical Center writes:
This is an important notice for patients of South Shore Medical Center of Norwell, Kingston and Weymouth, Massachusetts. On December 3, 2012, the vendor that hosted our website informed us of a hacking incident that occurred between October 18, 2012 and November 15, 2012. This resulted in unauthorized access to certain information entered on our website between January, 2007 and November 15, 2012.
The breach did not impact our electronic health record system or our secure patient portal, MyHealth Online.
The information potentially accessed included data entered by patients when paying a bill online, requesting a school health form, e-mailing our organization, requesting a referral, requesting a prescription renewal, requesting an appointment, informing us of an address change, or registering as a new patient. The breached data may include first and last name, home address, phone number, e-mail address, health insurance identification number and, if patients made a payment on our website between October 18, 2012 and November 15, 2012, the credit card number, three-digit security code, and expiration date. In addition, new patients who registered online between January, 2007 and October, 2009 may also have had their social security number exposed.
There is no indication that any of the information has been misused in any way.[…]
In a lengthy letter of January 14, Child & Family Psychological Services writes:
As you are aware, Child & Family Psychological Services, Inc. also d/b/a Integrated Behavioral Associates (“CFPS”) had a website which allowed patients to communicate with CFPS. The website included an online intake form (the “Intake Form”) that patients could complete in order to request services with CFPS clinicians, as well as several other communication tools such as requests for prescription refills, requests for appointments, and a general contact form. CFPS engaged ClearPoint Design, Inc. (“ClearPoint”) in 2009 as the vendor to host, maintain and monitor that CFPS website.
On Tuesday, November 20, 2012, Mr. John Owen, the owner of ClearPoint, informed CFPS that ClearPoint had leased a dedicated server from a company called Hosting.com. ClearPoint housed the CFPS website and Intake Form data along with data of other customers of ClearPoint on this Hosting.com server. Mr. Owen also informed CFPS that Hosting.com informed him on or around November 19, 2012 of a potential breach of security of the Hosting.com server that housed the data of all of ClearPoint’s customers, including the CFPS website and Intake Form data. CFPS and ClearPoint immediately shut down the online forms and had all data removed from the compromised Hosting.com server. On Tuesday November 27, 2012, CFPS received written confirmation from ClearPoint that the Hosting.com server that housed the CFPS website and Intake Form data was breached between October 18, 2012 and October 29, 2012. ClearPoint informed CFPS that on or about October 21, 2012, a hacker modified a code on a website housed on the servers. This code diverted unencrypted payment information entered by a ClearPoint customer’s patient who was making online payment, to a Google Mail e-mail account set up by the hacker. Unlike some other ClearPoint customers, CFPS did not collect any payment information nor store any financial and/or credit card processing information on these servers. ,
There was no evidence at the time of the breach, nor has there been any evidence since that time, that the hackers sought out, took, or used any other information other than credit card information. It appears that the hacker did not access any health-related or medical record information of patients of other customers of ClearPoint, such as diagnosis, treatment, or any medical services that were housed in the compromised Hosting.com server. In addition, it appears that the hacker did not access social security numbers, dates of birth, insurance identification numbers, or any other personal identification numbers. It appears the only information accessed was the credit card information that patients of other customers of ClearPoint entered when paying a bill online.
Please note, that unlike other customers of ClearPoint, CFPS did NOT receive payments online; and did NOT collect any financial information through the website or the Intake Form. The information submitted on the CFPS online forms and subsequently stored on the compromised Hosting.Com server included requests for services, requests for prescriptions, requests for appointments, general contacts, and Social Security Numbers. CFPS did NOT collect, store or maintain any clinical records or other information other than as stated above on the compromised Hosting.com server CFPS maintains a totally separate, secure server, which houses clinical records, personal information, and financial information. That server was not compromised in any way.
On November 27, 2012 CFPS learned that because of the level of access that the hacker had (administrative rights), any and all unencrypted data on the Hosting.com server should be considered as possibly compromised. The CFPS data housed on Hosting.com included personal health information and was unencrypted during the breach period. Therefore CFPS is reporting the potential HIPAA breach to those who may be impacted. It is important to note that while social security numbers were, in some cases, part of the data, they were fully encrypted during the time of the breach and therefore were not vulnerable.[…]
So after telling patients that their data weren’t involved and it was only payment information of other practices, they turn around and say that data might have been compromised, except for Social Security numbers? While I give them points for attempting transparency, I would find their letter very confusing as that last paragraph appears to contradict their prior statement that “It appears the only information accessed was the credit card information that patients of other customers of ClearPoint entered when paying a bill online.”
I could find no notice on the web site of Harbor Medical Associates, P.C., nor any substitute notice in media that I searched.