Ignoring leak reports and inquiries is just asking for trouble
This is an example of how NOT to secure patient information and how NOT to respond when you’re contacted about a vulnerability.
Kevin Wetzel of SLC Security Services LLC posted a vulnerability report on Cape Fear Valley Health System in Fayetteville, NC. The vulnerability, first noted by SLC on August 26, was described as the entity leaking PII and PHI via unencrypted email. Over 1,000 patient records were noted, although SLC did not continue to monitor the leak as SLC is not one of their clients. They describe the leak this way:
This entity is leaking information containing PII and confidential patient information to include name, date of birth and location as well as diagnostic and treatment information. There are multiple issues with this entity to include email issues as well as unencrypted radio communications and potential wireless issues at their location
If that’s true, then Ouch!
Wetzel reports that he spoke with the privacy officer at Cape Fear Medical:
That office stated that their IT Security Personnel would be in touch with our office to obtain the information as of 9/9/2014. No follow up has been acknowledged.
So what happened then? Has Cape Fear investigated? Has it notified patients of any leak? Has it notified HHS?
Cape Fear Valley did not respond to an email inquiry sent to them on September 18 by PHIprivacy.net.