Data Breach at Patient Home Monitoring Exposes 150,000 Patient Records
The medical records of nearly 150,000 patients was exposed when a security research team accessed the data storage account of Patient Home Monitoring (PHM), which coordinates in-home medical testing.
Kromtech Security Center, a data security firm, found this sensitive patient information stored on an unsecured Amazon S3 bucket, which many companies use to store data. Information contained on the server included patient information, such as names, phone numbers, addresses and weekly blood test and other test results. Doctor information contained on the server included doctor names, client data and case management notes. In total, the file contained 47.5GB worth of data, which included an estimated 316,000 PDF files.
“This Amazon repository was misconfigured to be [publicly] available and anyone with an internet connection could access these confidential medical records,” Alex Kernishniuk, vice president of strategic alliances at said in a statement. “Even the most basic security measures would have prevented this data breach.”,
The company notified PHM and healthcare authorities of the exposed information on October 5, and the problem has been fixed. PHM has not confirmed whether it received the report from Kromtech, though.
The Health Insurance Portability and Accountability Act (HIPAA) requires medical providers to create policies that will safeguard health information. In the case of a breach, HIPAA’s Breach Notification Rule requires providers to notify patients “without unreasonable delay” and “no later than 60 days following the discovery of the breach.” HIPAA also requires medical providers to notify major news outlets in any state where more than 500 affected patients live.
It is unclear what steps PHM has taken to notify patients of the exposed information.