Dozens of clinics, thousands of patients impacted by third-party data leak
EMR4all, Inc. was a California business providing free EMR software to physical therapy, speech therapy, and occupational therapy practices that used their associated patient billing service, Rehab Billing Solutions (RBS). Over the summer, they began shutting down operations and notifying their clients of their closure. Their effort to make a graceful exit wound up marred by a data leak that potentially impacts tens of thousands of patients and almost 30 clinics.
On September 10, MacKeeper security researcher Chris Vickery contacted DataBreaches.net to say he had found a leaky bucket on Amazon S3 that contained thousands of patient records.
“I was floored when I realized the magnitude of this breach,” Vickery told DataBreaches.net. “I immediately knew how complicated this one was going to be. When one vendor exposes records for 30 different medical practices, you can expect the client notification process to get very nasty very quickly.”
When Chris said there were 61 GB of data and about 260,000 unencrypted files, DataBreaches.net agreed to assist him in trying to contact the firms as quickly as possible. As part of that, I reached out to a contact at a major health insurer whose members were among those whose insurance information was exposed. My contact, in turn, promptly reached out to Amazon to request they contact the firms to secure the files (yes, it’s helpful to have contacts in high places when you’re trying to get mammoths like Amazon or the Trump organization to respond quickly). DataBreaches.net left also left voicemails and sent email to an email address that one of their clients helpfully provided to me when I contacted her.
On September 12, DataBreaches.net received a call from Todd Jones, the founder and CEO of the firms. By then, he had already heard from Amazon. Jones informed me that he had someone working on securing the clients’ files as we spoke.
Scope of Breach
As suggested by the screenshot of the directory, dozens of physical therapy and rehabilitation practices appeared to have patient records in the leaky bucket. Inspection of a sample of the exposed files revealed that there were batches of unencrypted completed insurance claim forms that included the insurer’s name, the patient’s name, postal address, insurance account number, date of birth, diagnostic code, treatment code, date of service, name of provider and provider’s information. Because some claims involved Medicare beneficiaries, their Social Security numbers were embedded in their Medicare number. Not all practices had patients’ SSN stored.
Other files included scanned copies of patient records with their relevant medical history such as patient intake forms and treatment plans.
Photocopies of insurance cards and driver’s licenses were also in the files.
As of the time of this publication, the firms say they are unable to state exactly how many patients had data in the exposed bucket:
Because of the unstructured nature of the data, it is not possible to determine the exact number of unique patients with data in the bucket. The universe of patients across all clients is 30,000, so it would be a smaller subset of that number.
In response to another question from this site, they indicated that the misconfiguration of the bucket occurred “when the AWS account was set up a number of months ago.” They say that they have not determined how many – and what – IP addresses accessed the bucket and downloaded files. That last piece of information could be important to patients trying to assess any risk they might face of identity theft.
The Firms’ Incident Response
Within approximately one week after being contacted by Amazon of the leak, the firms notified clients, they say:
We have also notified all our customers and former customers of this unfortunate situation involving our Amazon Web Service S3 account and are working with them to provide information to their patients.
DataBreaches.net spoke with one of the affected clients yesterday. He said he had received an email about the incident from the firm that stated that they had retained counsel to prepare a template letter that clients could use to send notifications to their patients. The client had not received that letter yet, but it appears that EMR4All/RBS will not be making the patient notifications themselves. They are providing clients a template letter and the names and addresses of those patients who may need to be notified.
It also appears that the firms are not notifying HHS or state attorneys general on behalf of their clients if notification is required, and the clients will also have to do those tasks for themselves:
We are working with our customers to provide them the information they need to notify HHS and their patients as required under the HIPAA Breach Notification Rule.
We have always taken our customers’ information security very seriously and we deeply regret any inconvenience this may have caused. We continue to monitor the situation closely and work with our customers on transitioning practice data and following up with further notifications and appropriate steps.
To date, the firms have made no mention of offering to pay for credit monitoring services for patients whose unencrypted Social Security numbers were exposed, so providers may be on the hook for those costs, too, should their patients demand such services.
Somewhat surprisingly, no one from the firms has asked me how much of their data I may have and whether I would delete it. Chris says that no one has asked him, either. But consistent with this site’s policy, data in this site’s possession was deleted once the firms sent me a statement acknowledging the leak and that it was a misconfiguration error on their part.
Read Chris’s coverage of this incident on MacKeeper Security Watch for additional details and analysis of the exposed data.
Lessons Learned – or Not?
Earlier this week, DataBreaches.net and Protenus released our report on how third-party breaches are a major concern in protecting patient data. This leak serves as another example of the potentially huge impact of these types of breaches.
If you haven’t done so already, review your BAAs to see if you have imposed enough security requirements, and review your procedures to see if you are monitoring your BAAs for compliance with those requirements. And then here’s a pop-quiz: see if you can answer the following questions about your BAA contract:
- In the event of a breach, does your business associate shoulder the cost of notifications or do you? Do they pay a lawyer to write the notification letter or will you have to pay your lawyer for that service? Who pays for the printing and postage? And do factor in your staff’s time for doing all of these things if the business associate isn’t responsible for doing them.
- What is your business associate’s contractual responsibility with respect to notifications to regulators? Will they have to notify HHS and/or state attorneys general, or will that fall on you?
- In the event of a breach, will your business associate pay for credit monitoring services for your patients or other mitigation that might be necessary and appropriate, or will you have to pay for it?
- Does your business associate carry adequate cyberinsurance for breaches? Do you check to see that they have a policy in place throughout the contract period? If not, I sure hope you have adequate insurance, because it is your relationship with your patients that will be jeopardized by a breach or a poor incident response to a breach. Check with your liability insurer to find out if your policy covers you for a breach, and if so, with what limits or exclusions. If your insurer covers you for a breach, will they also cover your costs if your third-party provider has a breach?
If you don’t know the answers to the pop-quiz, why not make a note to find out the answers this week?
Finally, if you don’t already have a lawyer on board who is experienced in handling HIPAA breaches, don’t wait until you’re in crisis mode to find one.