Supportive Concepts for Families, Inc. in Reading, PA offers services for clients with mental health/intellectual developmental disabilities. A hardware upgrade in February 2013 left consumer information in an internal database exposed in Google with no login credentials required.
They have posted a notice dated February 13, 2014 on their site, although it is not linked from their homepage, and you’d have to search under their HIPAA section of their site to find it:
SCFFI maintains an internal database that contains health information about our consumers. This database is used by our employees as they provide care to our consumers. The health information in this database is designed and intended to be accessible through our internal web portal only to authorized users who have been issued required log-in IDs and passwords. On December 16, 2013, we learned that the health information in our internal database was available on the internet by a Google search using the terms “Supportive Concepts for Families” and consumer first and last name, without using a log-in and password. The information available included names, addresses, social security numbers, dates of birth, dates of service, and consumer service notes entered by our employees.
We immediately investigated the incident and determined that when SCFFI employees performed a computer hardware upgrade in February 2013, some of the portal’s security settings were not properly set. Without the proper security settings, it was possible to access the web portal information from remote locations without using log-in and password authorization. Within one hour after discovering the breach on December 16, we changed the security settings so that only authorized users with log-in IDs and passwords could access and view our database. In our investigation, we reviewed the access history to the database through our computer logs going back to the upgrade in February 2013. We have found only a few instances of access that we cannot identify. Most access was made by SCFFI personnel just before the breach was reported to us, or by SCFFI personnel to confirm the nature of the problem before correcting the server’s security settings. We have no evidence about which records may have been accessed by unknown individuals or whether health information that may have been accessed has been misused.
Because protecting your personal information is important to us, we want to make you aware of two important things you can do to protect the consumer. First, keep a close watch on your bank statements, credit card statements, personal mail and other bills and financial statements for any suspicious or unauthorized activity. Second, you may want to consider placing a fraud alert on your credit files. A fraud alert lets creditors know to contact you before opening new accounts. You may call any one of the three credit reporting agencies at the number below. This will let you automatically place fraud alerts with all of the agencies. You will then receive letters from all of them, with instructions on how to get a free copy of your credit report from each.
- TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
- Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
- Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013
In addition to restoring the security settings for our database, SCFFI staff will monitor internal consumer accounts for any suspicious activity, conduct random and frequent performance testing and monitoring of our database security, and have refresher training on our health information privacy and breach reporting obligations. SCFFI is also working with an information technology vendor to perform testing on our data systems to identify and correct any weaknesses that may arise.
Should you have any questions about this notice letter, or want additional information, please contact me directly at [email protected] or at 1-888-686-7233 (ext.1230).Please be assured that SCFFI is committed to providing quality care to our consumers, including maintaining the privacy and security of your personal and medical information. We take many precautions to provide adequate safeguards, and continuously modify our systems and practices to enhance the privacy and security of your information. We sincerely apologize and truly regret that this incident occurred.
Sincerely,
SUPPORTIVE CONCEPTS FOR FAMILIES, INC.
Drue Robinson, Chief Program Officer
SCFFI reported to HHS that the breach affected 593 clients. The incident was added to HHS’s public breach tool today.