On March 15, DataBreaches was contacted by a researcher who had found a “bunch of medical docs.” The files included patient intake evaluations, laboratory results, medical records requests, insurance information forms, treatment or consultation notes, and other files you would expect to see in a patient’s records. The patients all appeared to be in Texas, and there were almost 683,000 files.
When the researcher couldn’t determine who owned the data, they requested DataBreaches’ help. The researcher’s confusion was understandable. There appeared to be scanned documents from numerous doctors and medical groups, although certain names cropped up more than others. Most of the files were scanned pdf files and many were more than a decade old. The most recent files appeared to be dated in 2018 or so.
A Google search showed that one doctor, whose name appeared frequently, was still in practice in Texas at the same address that appeared on some of the letterhead correspondence. Researching the blob’s name led to a business with the same distinctive name as the blob. The business’s website was no longer online, but a copy could be found on archive.org. The business owner was the same doctor that DataBreaches hypothesized might own the data in the blob.
Last Monday, DataBreaches sent a contact form message and then called Rakesh Patel, D.O. at the Endocrine and Psychiatry Center. The employee DataBreaches spoke to denied that they used that blob for storage, but DataBreaches insisted she tell the doctor that a blob with that name and files with his letterhead had been found exposed. DataBreaches left this site’s phone number with the employee for a callback from the doctor.
By approximately 24 hours after leaving that message, the blob was no longer available online, but there has been no callback.
Does Dr. Patel know how many IP addresses accessed and downloaded patient files? DataBreaches has no idea, but DataBreaches does know that protected health information was both accessed and acquired, making this a reportable breach under HIPAA. So is Dr. Patel planning on notifying the almost 683,000 patients whose files were in the blob? Is he planning on notifying HHS or any regulators? Time will tell.
Old, but Sensitive Data
The following are redacted snippets from a 5-page file for a new psychiatry patient. It was completed in 2006 when the patient was 24 years old and seeking treatment for self-reported ADHD, anxiety, and depression.
The intake included the usual demographic information with date of birth and full Social Security number (full SSN was commonly collected back then). The doctor also reviewed his history of symptoms, the patient’s current and past medications and reactions to them, any other medical problems or significant health history, family psychiatric history, a patient-completed mood inventory checklist and a patient-completed checklist about symptoms related to adult ADHD. And of course, there was a social section of the intake where the patient reported his marital status, current employment and employment history, any children, and any arrest history (he had one).
So not only was the sensitive information provided by a named patient in 2006 publicly accessible in 2023 to anyone who wanted to download it, but his records also revealed to the world his family members’ psychiatric history.
The screencaps below were just part of the first page of the 5-page file. They have been redacted by DataBreaches. Some information was not redacted because it is actually fairly common and would not enable identification of any one individual patient (e.g., having ADHD in conjunction with anxiety and depression is fairly common and a
Would that individual want all that past information about them and their family left publicly available with no authorization required to access it? And what about the risk of becoming a victim of fraud or ID theft due to the exposure of their name, date of birth, and full Social Security number?
It has only been one week since Dr. Patel was alerted to the breach. It would be understandable if he was first investigating to determine the full scope of the breach and then to figure out what his notification obligations are under HIPAA and any state laws.
DataBreaches will continue to monitor this incident to see if it is disclosed by the doctor and reported to HHS in due course, but again notes that old protected health information should either be securely purged if it is no longer needed for the purpose for which it was collected, or if it is still needed, it should at least be adequately protected. Having more than 680,000 old files stored without encryption in an exposed container can be a very costly mistake.