DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NY: Treasure trove of Grand Street Medical Associates patient data exposed and indexed

Posted on March 22, 2016 by Dissent

Grand Street Medical Associates is a multi-disciplinary practice in Kingston, New York.  At some point, what appears to be a vast amount of their patients’ protected health information was left exposed on an unsecured FTP server. The leak was discovered by a security researcher, who notified GSMA and then contacted DataBreaches.net on March 12.

According to data provided by the researcher and reviewed by DataBreaches.net, there were over 14,600 files and more than 20GB of data. Each file that we skimmed contained PHI on multiple patients. It appeared that the files were part of an effort to scan and digitize paper records from patients seen since December, 2011.

Dozens of files were labeled “patient demographics.” DataBreaches.net randomly selected one such file analyze the contents and found that it contained PHI on approximately 65 unique patients. For most of those patients, there was a new patient form that asked the patient whether they had had any recent bloodwork or labs,  whether they had had any testing done, and whether they had had any recent hospitalization. The new patient forms also required the patient to provide their:

  • name
  • marital status
  • date of birth
  • age
  • gender
  • phone numbers (home) and (work)
  • street address, city, state, zip
  • occupation/employer
  • spouse’s name & occupation
  • emergency contact (other than spouse)
  • SSN
  • Insurance & billing info

Approximately 40 of the 65 patients provided the requested SSN. Sixty patients provided their insurance information. For many patients, there were also photocopies of their insurance cards and driver’s licenses.

The new patient forms also included space for the patient’s signature on a HIPAA release form, and all patients in that particular file had signed the form, so their signatures were also caught up in the exposure.

In addition to the patients’ information, there was PII for friends or family members. When a family member was the subscriber to an insurance plan, their PII was also provided.

And that was just one of the “patient demographic” files. Other files appeared to batch patient medical information such as lab tests, consultations, progress notes on patients (172 files), consultations with hospitals, and insurance information.

Screencap showing some of the filenames of files exposed on unsecured ftp server.
Screencap showing a few of the  files exposed on unsecured ftp server.

To make matters worse, dozens of the more than 14,000 files were indexed by Google, while Filemare indexed over 6,300 files.

gsma2

 

Over 6,300 files were indexed by Filemare.
Over 6,300 files were indexed by Filemare.

Grand Street Medical Associates did not respond to two emailed inquiries asking how many patients had PHI in the exposed files, for how long their records were exposed, and how it happened (i.e., was any vendor or BA involved). Nor does DataBreaches.net know how many times the files may have been accessed or downloaded.

At this point, DataBreaches.net does not know whether GSMA intends to notify its patients and/or HHS, but such exposure put thousands of patients at risk of identity theft and medical identity theft, as well as the risk of having sensitive medical information shared broadly. If the data weren’t acquired by bad actors or misused, everyone can count their lucky stars.

DataBreaches.net delayed publication of this incident until the files were secured and cache cleared, as the files indexed by Google sometimes revealed the patients’ names, dates of birth, and other details.

This post will be updated if more information becomes available. Hopefully, GSMA will issue a statement that explains what happened and whether or not the files were accessed while they were exposed.

If you were or are a patient at GSMA, please contact this site to let me know if you have been contacted by GSMA about the incident.

CORRECTION: This post was corrected post-publication as an earlier version indicated that there were 172 “patient demographics” files. That should have read “progress notes” files. There were 70 patient demographics files.

Category: Breach IncidentsExposureHealth DataOf NoteU.S.

Post navigation

← Concordia warns university community about possible computer security breach
Three members of Syrian Electronic Army charged by feds →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Dutch police identify users on Cracked.io
  • Help, please: Seeking copies of the PowerSchool ransom email(s)
  • RCMP thumb drive with informant, witness data obtained by criminals: watchdog
  • Evoke Wellness to Pay $1.9 Million to Settle FTC Claims That They Misled Consumers Seeking Substance Use Disorder Treatment
  • Former Hilliard treatment center employee accused of selling patient data on dark web
  • Trump Rewrites Cybersecurity Policy in Executive Order
  • AMI Group – Travel & Tours notice of ransomware attack
  • Resource: Insider Threat reports
  • Za: Cyber extortionist sentenced to eight years in jail
  • ICE takes steps to deport the Australian hacker known as “DR32”

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Republicans Move A Step Closer To Repealing Protections For Abortion Clinics
  • Democrats introduce bill that aims to protect reproductive health data
  • Don’t Mind If I Do: Montana Says Hands Off Neural Data
  • 23andMe leadership grilled by lawmakers demanding answers about data security amid bankruptcy sale
  • Privacy Victory! Judge Grants Preliminary Injunction in OPM/DOGE Lawsuit
  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report