The Painted Turtle is a non-profit organization in California that operates a camp for children with life-threatening diseases and their families, and does so each year, free of charge to the families.
As part of their process, prospective campers and their families, as well as volunteers, submit an online application. For campers and their families, the application includes their name, address, personal medical information, and health insurance information. For volunteers, the information includes their name, address, Social security number, driver’s license number, personal medical information, and employment information. The application does not request bank account or credit card information.
Unfortunately, a glitch in the online application system potentially exposed campers’ and volunteers’ information.
Campers and family members’ information was potentially viewable by individuals they listed as a Medical Provider or Emergency Contact, but their information would not have been viewable unless a few events collided in time. Specifically: (1) they would have had to identify someone as a Medical Provider or Emergency Contact in their application in 2013–2014, and (2) that person would have had to begin filling out an application as well, and (3) while that person’s application (and their application) was still pending, (4) they would have had to access their pending application and click “show related profiles” and their name.
Volunteers’ information would not have been viewable unless (1) they had identified someone as a Reference in their application in 2013–2014, and (2) that person would have had to begin filling out an application as well, and (3) while that person’s application (and the volunteer’s application) was still pending, (4) they would have had to access their pending application and click “show related profiles” and their name. The volunteers’ information would not have been accessible to anyone outside of the persons they listed as References in your application.
The Painted Turtle became aware of this issue on January 12, 2015, and immediately took the database offline to prevent anyone from being able to access the records. The database’s code was updated to prevent future problems.
In a letter dated March 6 signed by Blake Maher, The Painted Turtle notes that they have no evidence that any information has been misused, but are offering those affected services through ID Experts.
Copies of the two types of notification letters have been uploaded to the web site of the California Attorney General.
The Painted Turtle does not say how many campers and volunteers were affected by the misconfiguration, and I do not find any statement on their site as to whether they are covered by HIPAA, so it’s not clear whether this breach will appear on HHS’s breach tool. They note that
Since 1988, The SeriousFun Children’s Network of camps has improved the lives of more than 518,000 children and their families from over 50 countries and throughout all 50 United States. They strive to serve more than 75,000 children with varying medical conditions every year — all free of charge.
It’s a shame that this happened to them, and I do hope some generous donors help them so that funds can be devoted to services for children and families and not ID theft services. Hopefully, ID Experts gave them a good deal.