Update: BioTel Heart notifies patients of vendor leak. Did vendor fail to notify them?
A cardiac monitoring firm is now notifying patients after a Google search on their name in January led them to an August, 2020 report on this site about a vendor’s leak. But why didn’t they know about it already from the vendor last year or from the notifications this site had sent them last year?
In August, 2020, DataBreaches.net reported on a data leak discovered by a researcher. The leaky Amazon s3 bucket appeared to be storing files related to patients having cardiac diagnostic monitoring and evaluation. The files included medical histories, findings, and insurance billing documentation requests. They came from numerous medical providers.
The researcher shared the data with DataBreaches.net in an attempt to determine who owned the storage bucket. The files had some recurring names on them, but neither the researcher nor DataBreaches.net were ever able to conclusively determine who owned the bucket, although it appeared to be either BioTel Heart or HealthSplash/SplashRx. HealthSplash appeared to be involved in insurance billing somehow for BioTel Heart, but neither entity responded to multiple attempts by this site to contact them to alert them to the fact that ePHI was exposed and possibly had been exposed since 2019.
It was only with Amazon’s assistance that the researcher was able to get the bucket secured. As is their policy, however, Amazon never told the researcher who their client was — only that they contacted them to secure the bucket.
On August 9, the bucket was secured and DataBreaches.net reported on the leak shortly thereafter. But DataBreaches.net continued to try to contact the entities to inquire whether either was notifying regulators or patients.
Getting no answers and seeing no disclosures despite the fact that more than 3 months had passed since the bucket owner had been notified by Amazon and the bucket had been secured, DataBreaches.net filed a watchdog complaint against both entities with OCR in November.
On February 2, DataBreaches.net got a phone call from a lawyer for BioTel. He informed this site that they had just discovered this site’s August, 2020 report about them having a leak and they were conducting an internal investigation to find out why they had known nothing about it until they came across this site’s reporting. He wanted to know how this site had attempted to contact them, and this site wanted to know whether it was their bucket and why neither they nor HealthSplash/SplashRx had responded to multiple attempts to contact them.
He never got back to this site, so DataBreaches.net has no idea what their internal investigation revealed.
Yesterday, a template of a notification letter to BioTel’s patients was uploaded to the California Attorney General’s site (BioTel also does business as LifeWatch Services, Inc. and CardioNet LLC). A copy of the notification is embedded below.
A few things jumped out at me:
- In its March 26 notification, BioTel described the incident as “recent.” This was not a “recent” incident. It began in 2019 and continued until August 9, 2020, as they note in their letter. Maybe they meant to say that it was not a recent incident but they only discovered it recently? They say that they discovered it on January 28, 2021.
- Their “discovery” at the end of January is only because they didn’t read their email back in August of 2020 and thereafter when we repeatedly reached out to them. The notification makes no mention or admission of that.
- The fact that they say the “discovered” the vendor’s leak in January, 2021 seems to indicate that their vendor never informed them of the incident. If that’s true, it would appear to be a violation of HIPAA, and it is no surprise to read in the notification that BioTel has terminated its relationship with the vendor. The notification never names the vendor.
- But what did BioTel find out from the vendor other than date of exposure, types of data, and the identities of the patients affected? Did the vendor have access logs? BioTel claims that there is no evidence of misuse of the data (and they are offering complimentary monitoring/restoration services). But how many unauthorized IP addresses accessed the data? How many downloaded it?
- BioTel says it will require the vendor to securely delete all files after they securely provide them to BioTel. That seems prudent.
This incident is not yet up on HHS’s public breach tool. DataBreaches.net hopes that OCR does not just close its investigation just because BioTel has now disclosed. Something went wrong here and a thorough review of risk assessment, business associate agreements, security protections, and incident response seems in order.
DataBreaches.net reached out to HealthSplash to ask them whether they ever notified BioTel of the leak last August and whether they examined logs to determine how many unauthorized IP addresses may have accessed or downloaded data from the misconfigured bucket. No response has been received by publication time, but this post will be updated if a response is received.
Updated April 1: BioTel reported this incident to HHS as impacting 38,575 patients.
Correction: On April 7, after reviewing the storage bucket, DataBreaches.net edited this post to remove any claim that there were 60,000 patient records. That appeared to be an error in our original calculations, and we apologize for the error.Sample BioTel Notice