Fairchild Medical Center server was exposing patient information for 4.5 years until a security firm alerted them
Ugh. Fairchild Medical Center had a misconfigured server exposing PHI from December 16, 2015 until they were alerted to the problem in late July by an unnamed security company who discovered the exposure.
Here’s their press release, below. Note that this does not (yet) appear on HHS’s breach tool.
YREKA, Calif., Nov. 25, 2020 /PRNewswire/ — In late July 2020, FMC was made aware of an issue involving a misconfiguration on one of its servers through a communication from a third-party security company unaffiliated with FMC. FMC immediately commenced an investigation and began working with third party computer specialists to determine the nature and scope of the issue. FMC also immediately addressed the misconfiguration and took steps to secure the server. A third-party security company verified that the server security change resolved the issue. Through the investigation, FMC determined that a misconfiguration existed from approximately December 16, 2015 to July 31, 2020 that allowed external individual(s) access to the server. On November 5, 2020, following and extensive review of forensic evidence associated with the server, FMC’s investigation determined that it could not conclusively rule out unauthorized access to records present on the server during the window of time when the misconfiguration was in place. As such, out of an abundance of caution, FMC reviewed the server to determine what records were present during that window. It was determined the information contained on the server includes medical images, names, dates of birth, patient identification numbers, exam identification numbers, provider names, and dates of examination. Please note, this incident did not affect an individual’s full medical record. Additionally, this incident did not affect any individual’s Social Security number, nor financial information.
Information privacy and security are among FMC’s highest priorities. FMC has strict security measures in place to protect information in our care. Upon learning of this incident, FMC moved quickly to respond. This included conducting an investigation with the assistance of third-party forensic specialists and engaging in steps to ensure the security of the one affected server. The security change of the server was verified by a third-party security firm to confirm resolution of the server security issue.
As a general reminder, FMC encourages potentially affected individuals to remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits, and to monitor free credit reports for suspicious activity and to detect errors. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of a credit report. Individuals also have the right to place a “security freeze” on a credit report, which will prohibit a consumer reporting agency from releasing information in the credit report without express authorization. The security freeze is designed to prevent credit, loans, and services from being approved without consent. However, using a security freeze may delay, interfere with, or prohibit the timely approval of any subsequent request or application made regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, an individual cannot be charged to place or lift a security freeze on a credit report. An individual will be required to provide certain personal information and proof of identity to obtain a security freeze. As an alternative to a security freeze, individuals have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If an individual is a victim of identity theft, he or she is entitled to an extended fraud alert, which is a fraud alert lasting seven years.
Should an individual wish to place a security freeze, they may contact the major consumer reporting agencies: Experian – P.O. Box 9554, Allen, TX 75013; 1-888-397-3742; www.experian.com; TransUnion – P.O. Box 160, Woodlyn, PA 19094; 1-800-909-8872; www.transunion.com; Equifax – P.O. Box 105788, Atlanta, GA 30348-5788; 1-800-685-1111; www.equifax.com. Should an individual wish to place a fraud alert, they may contact the major consumer reporting agencies: Experian – P.O. Box 9554, Allen, TX 75013; 1-888-397-3742; www.experian.com; TransUnion – P.O. Box 2000, Chester, PA 19016; 1-800-680-7289; www.transunion.com; Equifax – P.O. Box 105069, Atlanta, GA 30348-5788; 1-888-766-0008; www.equifax.com. Further information regarding identity theft, fraud alerts, security freezes, and the steps an individual can take to protect personal information may be obtained by contacting the consumer reporting agencies, the Federal Trade Commission, or the appropriate state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. Individuals can obtain further information on how to file such a complaint by way of the contact information listed above. Individuals have the right to file a police report if they experience identity theft or fraud. In order to file a report with law enforcement for identity theft, an individual will likely need to provide some proof that they have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement. This notice has not been delayed by law enforcement.
FMC recognizes that impacted individuals may have additional questions. For more information, individual may contact (833) 752-0849 from 6:00 am to 6:00 pm Pacific Time, Monday through Friday, except holidays or visit FMC’s website at www.fairchildmed.org.
SOURCE Fairchild Medical Center