Mar 202018
 
Protenus, Inc. has released its February Breach Barometer,  with its analysis of 39 health data incidents compiled for them by this site. As I have done in companion posts to their previous reports, I am providing a list, below, of the incidents upon which their report is based. Where additional details are available, I have linked to them.  In some cases, as in past months, the only information we have is what HHS has posted on their public breach tool (referred to by some as the “Wall of Shame”). Because HHS’s reporting form results in ambiguous reports, some incidents reported to HHS wind up being coded as “UNKNOWN” for breach vector in Protenus’s analyses.  Similarly, HHS’s form does not seem to result in accurate estimates of the role of third parties or Business Associates, and Protenus’s report contains more reports involving third parties than HHS’s list would suggest or indicate.

Unlike previous months’ reports, though, you will see four “nonpublic” incidents in this month’s tally.  I will be discussing those four incidents later in this post, but let’s start with a few of the highlights from Protenus’s report for February:

  •  39 incidents, with details for 28 of them;
  • 348,889 records for the 28 incidents for which we had numbers;
  • 16  Insider incidents, accounting for  177,247 records: 15 out of 16 were insider-error, and 1 was insider-wrongdoing;
  •  13 Hacking incidents, accounting for 160,381 records;
  • 11 Business Associate/Third Party incidents; and
  • 23 of the 39 incidents involved providers.

See their report for additional statistics and analyses, including their analyses of gap to discovery of breaches and gap to reporting/disclosing of breaches.  Here is the list of the 39 incidents compiled for February:

Previously Unreported Incidents

Capital Digestive Care:  On February 22, DataBreaches.net, acting upon a tip from a researcher, contacted CDC to notify them that they had an Amazon bucket leaking patient data without any login required. Some of the data included patient inquiries through their web site with patients’ name, address, phone number, date of birth, and some details or reason for inquiry or appointment request. It appears that the bucket was administered for them by LMO, but neither CDC nor LMO have as yet issued any detailed statement explaining the incident.  On February 24, CDC sent this site a statement:

Until we have a full understanding of the situation, we are unable to comment. Like many companies, Capital Digestive Care contracts with 3rd party vendors for the management of its website. Those vendors are contractually obligated to maintain the security of sensitive information related to our organization. At this time, we are awaiting their full assessment. They have provided the below statement:

“LMO takes data privacy and cybersecurity seriously. LMO was notified of the situation and is currently investigating. We have no further comment at this time.”

They have issued no additional statement since then. At this time, then, we do not know the number of patients who had their data left exposed, we do not know how many had their data actually downloaded, and we do not know if this has been reported to HHS or any regulators (yet). There does not appear to be any statement on Capital Digestive Care’s web site at this time, nor on LMO’s.

BlueLibris  One of the more frustrating incidents uncovered in February involves a wearable device that can trigger an alarm to a central service if a patient or subscriber needs medical assistance. DataBreaches.net was contacted by a researcher who found a misconfigured MongoDB installation that was leaking what appeared to be a combination of production and development data for BlueLibris.  DataBreaches.net reached out to Nortek, and getting no response, also attempted to reach Numera, sending them a notification and asking them to get in touch. Neither Nortek nor Numera ever responded, although the data appear to have been subsequently secured.  Here are some snippets of data in the exposed files, where “sub” presumably refers to “subscriber” to the service:

}
“Spoke to sub she stated she had fallen around 1pm and her device never
signaled in. Then We did receive a signal at 5 tried to call subs home
no answer , phone # was wrong. Sub has updated her Home #”,

Spoke with sub [redacted by DataBreaches.net] he requested to disable the fall detector feature on his MSD device. Explained to him the risk of doing so and he
agreed. Fall detector disabled.”, “_cls” : “PatientAgentNote” }

Sub has a tingle in her face starting under her jaw going into her face.
Requested assist. I spoke to Cathy from Mennonite Manor she is sending
help. Reassured sub help is on the way.”, “_cls” : “PatientAgentNote” }

Because no one ever responded to notification attempts, DataBreaches.net notes that it is not certain that there were real patient/subscriber data, but at least some of the entries appeared to be genuine (e.g., Mennonite Manor is a real facility).

Rx Valet offers pharmacy discount cards. On February 10, DataBreaches.net was alerted to the fact that their subscriber/customer data was exposed without any login required. Skimming some of the data provided to this site, DataBreaches.net saw more than 100 files with patient names, names of prescribed medications ordered, email addresses, and last four digits of credit card used to pay for the purchase. The exposed data also revealed that it was easy to just increase a subscriber number in the url by 1 and get another patient’s data.

The exposed data appeared to be hosted on a domain called  ussdevelopment.com. Other data appear to have been exposed on universalstreamsolution.com.

DataBreaches.net contacted RxValet, who did respond to notification and followed up with this site. Although external counsel for RxValet did not provide specific answers to questions posed, DataBreaches.net did receive a statement today stating that RxValet will be posting a customer alert statement on the home page of its website this week. “Any required disclosures and reporting would follow shortly thereafter,” they state.

Neither ussdevelopment.com nor universalstreamsolution.com responded to attempts to contact them.

A Public School District in U.S. In February, the hackers known as TheDarkOverlord re-emerged on Twitter after an absence of several months and named some of their presumed victims.  One of their claimed victims was Union City Public Schools in Tennessee.  Investigation by DataBreaches.net into that claim revealed that the hackers had made an error in their tweet and the identified district had NOT been hacked by them. DataBreaches.net subsequently learned which school district TDO meant to name, and has reached out to that district, but has not received any confirmation yet. Because TDO claimed to have gotten student health and counseling records, this incident was included but needs further investigation and confirmation. It may be deleted from February statistics at some point if there is no evidence of health data being acquired.

So that’s a bit of how February went for me. So far, March has been even worse in terms of leaking data. I genuinely appreciate all those who let me know what they are finding. I just wish entities were more responsible and accountable and would at least have the courtesy to acknowledge receiving a notification. I don’t put trackers on notification emails, but boy, there are times I wish I did!