No Need to Hack When It’s Leaking, Friday Global Edition

For today’s episode of “No Need to Hack When It’s Leaking,” DataBreaches brings you three leaks involving patient/medical information: one from the U.S., one from India, and one from Australia.

Tridas Center

Jeremiah Fowler and the Website Planet research team discovered an unsecured database containing more than 16,000 records with personally identifiable information about pediatric patients. The records, which referenced Tridas eWriter interview system, contained patient ID numbers, names, date of birth, home address, school attended, special needs, medical diagnoses, behavioral or social problems, and other data types. Tridas eWriter’s online interview system is operated by the Tridas Group LLC. The researchers report:

The findings appeared to be a collection of records from Tridas eWriter questionnaires completed by parents, which the Tridas Center (where assessments of children would take place) suggested should be completed before the first evaluation appointment. We note that, according to the Tridas Center website, the Tridas Center closed on December, 31 2019.

Although the researchers seemed somewhat surprised by the sensitivity of the evaluation responses and narratives, it is actually quite common in the U.S. for evaluations to include detailed reporting and narratives by parents and teachers as part of the diagnostic and assessment process. But the data should be treated as personal and sensitive information and given adequate data security protection. It wasn’t in this case.

The Tridas Center appears to have been a HIPAA-covered entity.  Was this a reportable breach under HIPAA? Is Tridas is making any notifications? Can they even determine whether anyone accessed the information? According to Jeremiah Fowler, Tridas Group did not respond to his inquiries, although they did lock down the data.  Tridas has not responded to inquiries by DataBreaches as to whether they are reporting this incident to HHS.

Bahmini

The second leak was reported to DataBreaches by VPNOverview and involved an unsecured Amazon S3 bucket backup relating to the open-source Bahmni EMR and hospital management system. Bahmini serves over 500 websites in 50 countries with their integrated software and claims they manage patient data of over two million people.

According to VPNOverview researchers, an OpenMRS database backup contained medical information of 197,497 people: names, appointment dates, admissions, age, and gender.  As far as the researchers could determine, the information seemed to belong to people in the Chhattisgarh state of Central India.

VPNOverview reports that Bahmini responded quickly to their disclosure and locked the data down, but there is nothing that indicates for how long it was exposed or how many unauthorized accesses there may have been.

The report on this leak can be found at VPNOverview.

 Respiratory Clinical Trials

For a number of years, an entity in Australia conducted respiratory clinical trials. Research participants were told that everything was held in the strictest of confidence. Well, except for when they exposed more than a decade’s worth of the participants’ protected health information?

This leak was discovered by a researcher who contacted DataBreaches for assistance making responsible disclosure. After confirming that it was leaking and discovering that much of the the data appeared to be old, we were not totally surprised to learn that the only email address provided on the website did not work at all.

Directory of folders that were exposed.
Screencap provided by researcher has been redacted by DataBreaches.net.

 

The exposed files consisted of 80 GB of patient/participant medical files with their demographic information and relevant medical history, including history and updates on the research protocols. A google search revealed that the principal researcher  appeared to be still active but associated with a different entity.

At that point, we turned to the Australian Signals Directorate (Department of Defence) with a request that they alert the entity to lock down the data.

On follow-up, we found the data are still exposed, which is why we are not naming the entity at this point. When DataBreaches followed up with ASD, they informed this site that they had notified the entity. Why the data are still exposed after the government notified them they are leaking research participants’ medical details is unknown to DataBreaches.

About the author: Dissent

Comments are closed.