Misconfigured database may have exposed 1.5 million individuals’ PHI: researcher (UPDATE2)

Alliance Health is a technology company that owns and operates a group of condition-specific social communities with over 1.5 million registered members. Their 29 communities include conditions such as arthritis, diabetes, Crohn’s, asthma, allergies, and HIV, but also includes mental health conditions such as ADHD, Bipolar Disorder, and anxiety disorders.

From Alliance Health's media kit
From Alliance Health’s media kit

To join a community, the member is asked to provide their first and last name, a valid email address, and their date of birth. They also need to disclose whether they have the condition or are joining out of  professional interest or have some other reason for joining. In some communities, they may have to provide additional information such as the type of diabetes they have (Type 1, Type2).

None of these records are likely covered under HIPAA even though there’s health information.

Community members can post under a nickname, but many members seem to provide their real first name in their posts in some communities, and many members use pictures (presumably of themselves) as their avatars.

In addition to the support and information communities, Alliance Health also offers access to affordable prescription medications, either home-delivered, or through their pharmacy network. To access that service, members need to provide their name, email address, telephone number, and insurance carrier. They have to agree to be called, and the caller then obtains additional personal, medical, and insurance information.

It’s that medication assistance program that likely triggers HIPAA obligations.

Like many other sites DataBreaches.net has reported on recently, Alliance Health had a configuration error in its MongoDB Database installation. The leak was reported to DataBreaches.net by Chris Vickery, who has uncovered other leaks including the Systema Software leak affecting numerous clients and millions of insurance or workers compensation claims, the Vixlet leak affecting 377,000 users of fan sites, a Slingo leak affecting 2.5 million online gamblers,  the MacKeeper (Kromtech) leak affecting 13 million, the Hzone app leak affecting over 5,000, the OkHello leak affecting 2.6 million, the iFit leak affecting 576,000, the CAVA leak affecting 74,000 students and employees of the network of charter schools, the Hello Kitty leak affecting 3.3 million, the Nomi leak of tracking data, and the Virtue Center leak affecting donors to chapters of the Council on American–Islamic Relations and other non-profit organizations.

Vickery notified DataBreaches.net of the Alliance Health leak on December 13, and after verifying the leak and obtaining more information from Vickery, DataBreaches.net provided notification to Alliance Health on December 16 by email, web site contact form, and voicemail message.

In a statement to DataBreaches.net, Tom Lakey, Director of Information Security thanked both Vickery and DataBreaches.net for their notifications and said that Alliance Health had addressed the security issue within hours of the first notification.

“We take data privacy and integrity very seriously and work diligently to protect customer information,” Lake wrote in an e-mail to this site. “The development team is analyzing activity logs since the inception of this database to determine if any prior exposure of data occurred. Thus far, no prior access to this data is evident aside from the activity of Chris Vickers (sic).”

Subsequently, however, Vickery informed DataBreaches.net that he could not account for six of eight IP addresses that Alliance Health submitted to him as having accessed the database, i.e., they weren’t his.

DataBreaches.net inquired whether Alliance Health was going to notify HHS of the leak involving records of those who contacted the medication assistance program. David Grant, General Counsel for Alliance Health, addressed that question in a subsequent statement to DataBreaches.net:

Our legal and technology departments are assessing this situation, and based on that assessment, the company will take the following steps:

– The company will notify HHS and any other entities promptly once the assessment is complete per all regulatory obligations. The law requires notification to appropriate agencies within 60 days, and we expect to have our analysis of this situation complete in a much sooner time frame and will notify appropriate agencies as soon as the investigation is complete.

– The company will notify all affected individuals per all regulatory

– The company will post a notice on our website per all regulatory
requirements. The company needs to make sure there are adequate resources to address any individuals’ concerns should they have any questions. The company does not want to unnecessarily alarm our customers without having completed an analysis of the exposed information and resources in place to respond to customers. The latest date the website notice will be posted is when the company sends out notification to affected persons.

Unfortunately, neither Lakey nor Grant addressed some very specific questions this site posed about one file in the database that appears to contain the protected health information (PHI) of those who applied for the medication assistance program: the “scrubbed_leads” file contains 1,585,289 records. One such record, redacted by Vickery, appears below:

A redacted record from the “scrubbed_leads” file. Alliance Health did not answer questions about this file’s purpose, so it’s not known if it was just from those seeking medication assistance or if it contained other marketing leads, etc.

Another record in the file, which DataBreaches.net is not revealing, concerned an individual who was underage and hence, not suitable for further follow-up at the time. That record was from 2012, which raised another question: why were those data being retained?  DataBreaches.net asked Alliance Health if they could explain whether data in that file were supposed to have been purged, but received no response to that question.

No explanation was offered as to whether the data in “scrubbed_leads” should have been encrypted instead of being stored in plain text. At various points, their spokesperson referred to the database as a “test” database, but it seems clear that it must have contained real PHI somewhere  if they will be notifying HHS. Vickery informs DataBreaches.net that he believes it was a production database in a test environment, and the labels in the database schema do use the label “production.”

As part of their incident response, Alliance Health is also moving up their next internal security review. According to Lakey:

We are accelerating the next planned periodic test and review of our data security to confirm that all of our customers’ private information is protected appropriately. This is our highest priority.

Alliance Health responded promptly to notification and seems to be working diligently to comply with their obligations. This post will be updated if additional information is obtained about the “scrubbed_leads” file as to why it was in plain text and whether it should have been purged. If this incident appears on HHS’s public breach tool, it will be noted as an update to this post.

DataBreaches.net does not know if any of the community forum member data or posts were stored in the database, but has been provided with no evidence that they were.

UPDATE 1: Alliance Health has posted a brief data security announcement on their web site:

On Thursday, December 17th, we learned that a database containing Alliance Health customer records was misconfigured making it possible for some customer information to be accessible via the internet using specialized data access tools .  We immediately secured the data base and began a thorough investigation. The company will notify any affected individuals and appropriate government agencies once we determine the extent of the issue. We take data privacy and security very seriously and work diligently to protect customer information.

Customers can contact [email protected] with any questions.

UPDATE 2: This incident was reported to the California Attorney General’s Office on February 15, as impacting 3,012 California residents.  Their letter is not yet available on the state’s site, so there may be further updates to this report. The incident has not appeared on HHS’s public breach tool (yet?). The firm posted the following notice to their web site today:

Alliance Health is committed protecting the security and confidentiality of our customers’ information.  Regrettably, this notice concerns an incident involving some of that information.

On December 17, 2015, we became aware that a test database containing customer information had inadvertently been left accessible via the internet from July 2013 to December 2015.  Upon learning this, we immediately secured the database and removed it from public view.  We also began an internal investigation and determined that customers’ names, addresses, telephone numbers, email addresses, medications and limited clinical information may have been included in the database. No social security numbers, credit card or banking information were contained in the database.

This incident did not affect all Alliance customers. It only affected a subset of people who submitted their information online prior to July 2013.

We have no indication that any of customer information has been used improperly.  However, out of an abundance of caution, we began sending letters to affected customers on February 15, 2016. If you believe you are affected but do not receive a letter prior to March, 4, 2016, please call 1-877-216-3862, Monday through Friday between 7:00 a.m. and 5:00 p.m. Mountain Time. Please provide the following reference number when calling: 6118020816

We apologize for this and want our customers to know that we take the protection of customers’ personal data very seriously. We have enhanced our security measures and performed an extensive audit of all of our databases.

Another statement issued by the company indicated that 40,000 individuals were notified.

About the author: Dissent

Comments are closed.