DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Glens Falls Hospital and business associate sued over patient records exposure breach

Posted on April 18, 2013 by Dissent

Scott Waldman reports that Glens Falls Hospital has been sued over the patient record exposure breach caused by its business associate, Portal Healthcare Solutions. I had previously discussed this breach, here.

The lawsuit was filed as a potential class action lawsuit in State Supreme Court in Saratoga County yesterday on behalf of Dara Halliday and Teresa Green. It names the hospital, Portal, and Carpathia Hosting as defendants.

According to the complaint,  the plaintiffs discovered the breach on March 7, when they googled their names and found links to their doctor’s reports on them that included their past and current medical treatment, medications, social history, physical examination, laboratory data, and future treatment plans.  The files could be accessed, viewed, and printed or downloaded by anyone without restriction  – a point that both the hospital and Portal Healthcare have both acknowledged. It is not clear from the complaint whether the plaintiffs notified the hospital on that date or if they ever notified the hospital, but the hospital’s subsequent letter to patients and statements to the press indicate that they first learned of the breach on March 14. A. K. Jay Jaiswal, Portal’s CEO, informs PHIprivacy.net that the hospital notified them on March 14, and they immediately secured the server.

The complaint alleges negligence, failure to timely notify patients, failure to reveal the true scope of the breach, breach of warranties, and breach of contract.

Of particular interest to me, according to the complaint, Glens Falls Hospital’s notification letter to patients dated April 3 stated that they were unable to determine whether the files had ever been accessed or downloaded because Portal’s “access records are unavailable.” In a statement sent today to PHIprivacy.net, Jaiswal states that on the evening of March 14, the hospital requested two days’ worth of FTP access logs, which Portal provided on March 15. The FTP access logs roll over, however, which may explain why the hospital claimed it was not able to determine whether files were accessed or not. Jaiswal states that forensic examiners subsequently made a two-day on-site visit and made copies of two servers to take back for further examination. Portal’s copies of the servers’ contents and the original servers were placed in a bank vault and sealed as evidence. Jaiswal stands by his previous statement to PHIprivacy.net that the actual window of exposure was March 5 – March 14, and not November – March. He tells PHIprivacy.net that in the absence of access logs, the hospital used the folder creation date as the earliest date:

It is my understanding that because documents posting to the in transit folder started in Nov 2012 hospital took the position that documents may have been exposed from that date. In reality the documents analyzed by hospital’s own forensic experts who looked at forensic META FILE of each document came to two conclusions – documents were created between Nov 2012 to Jan 2013; and accessed by hospital only. They were not able to identify any additional access information.

But if the two plaintiffs were allegedly able to access the files on March 7, where are the logs showing that access? The access log situation is something HHS may wish to consider in terms of any audit or investigation.

If Jaiswal is correct in his claims, it appears that patients seen between November 2 and March 14 may have had their doctor’s notes available for viewing or access, but only between March 5 – March 14. While that would still be distressing, it doesn’t seem quite as horrific as if the files had been exposed for a 4-month period. The hospital, however, maintains that the exposure window was between November and March. It should make for interesting discovery.

The complaint alleges that plaintiffs have suffered significant and irreparable harm, including anxiety and emotional distress, and they seek monetary damages for the loss of privacy, credit report monitoring, and identity theft monitoring. The Saratogian reports, however, that the hospital says it has already offered affected patients free credit monitoring and identity theft protection. Whether any claim for emotional distress and anxiety can survive a motion to dismiss in NYS is unclear to me.

For his part, Jaiswal says that this breach has been “an experience of the life time” and they moved quickly to ensure this type of problem never occurs again. “I wish we can un-ring the bell but I cannot so the measures we have put in place and improved ensures full protection,” he tells PHIprivacy.net.

Category: Health Data

Post navigation

← Data Breach Lawsuits – Revisiting the Risks
Justice Institute employee sues ICBC for privacy breach that allegedly led to her vehicle torched, bullets fired at home →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • US Customs and Border Protection Plans to Photograph Everyone Exiting the US by Car
  • Google agrees to pay Texas $1.4 billion data privacy settlement
  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.