DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Children’s National Medical Center blames former transcription vendor for privacy breach

Posted on May 10, 2016 by Dissent

In March, 2015, the D.C.-based Children’s National Medical Center  notified 18,000 patients of a breach that occurred between July 26, 2014 and December 26, 2014 after employees fell for phishing emails.  In May, 2015, they were sued over that breach.

Now, CNMC has disclosed another breach, this one involving a former vendor who provided medical transcription services. Their press release identifies the vendor as Ascend Healthcare Systems (Ascend), and states that Ascend provided services between May, 2014 and June 23, 2014.

 On February 25, 2016, Children’s National became aware that Ascend, an outside dictation vendor required under contract to maintain privacy of patient records, had inadvertently misconfigured a file site that contained patient information. This might have allowed access from the Internet to transcription documents for as many as 4,107 Children’s National patients via a File Transfer Protocol (FTP) server from February 19, 2016 to February 25, 2016.

CNMC states that the information in question did not contain billing or financial information or Social Security numbers, but patient data did include names, dates of birth, medication, and physicians’ notes regarding diagnosis and treatment. The exposure risk only impacted patients whose dictated notes were sent to Ascend for transcription between May 1 and June 23, 2014.

CNMC’s notice does not indicate how they became aware of the exposed data, but anyone googling a patient’s name might have come upon the data in search results and notified them. When CNMC did learn of the exposed files, they contacted Ascend.

Of note, according to CNMC, the data never should have been on Ascend’s FTP server in February, because CNMC terminated its contract with Ascend on June 23, 2014, and as part of the separation, “Ascend was contractually obligated to delete all Children’s patient information.”

As soon as the health system became aware of the issue, the transcription company, Ascend, was contacted and asked to re-secure the site and remove the transcription documents from the Ascend server. Children’s National is not aware of any unauthorized access to or misuse of these documents.

So  the vendor misconfigured their FTP server in February, 2016, and exposed protected health information that they had been obligated  to delete in June, 2014?  HHS should definitely investigate these allegations.

Ascend has sent no response as yet to an email inquiry from DataBreaches.net asking them how many other clients may have been impacted by the server misconfiguration, when and how the misconfiguration occurred, and whether they wished to respond to CNMC’s allegations that they were obligated to delete all the files back in 2014.  This post will be updated if more information becomes available.


Related:

  • PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada
  • Two more entities have folded after ransomware attacks
  • British institutions to be banned from paying ransoms to Russian hackers
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Microsoft Releases Urgent Patch for SharePoint RCE Flaw Exploited in Ongoing Cyber Attacks
  • Global hack on Microsoft product hits U.S., state agencies, researchers say
Category: Breach IncidentsExposureHealth DataOf NoteSubcontractorU.S.

Post navigation

← Ca: Law firm considers launching class action suit against Algonquin College over privacy breach
Ontario health privacy breach notification bill passes third reading →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada
  • Hungarian police arrest suspect in cyberattacks on independent media
  • Two more entities have folded after ransomware attacks
  • British institutions to be banned from paying ransoms to Russian hackers
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Microsoft Releases Urgent Patch for SharePoint RCE Flaw Exploited in Ongoing Cyber Attacks
  • Global hack on Microsoft product hits U.S., state agencies, researchers say
  • Inquiry launched after identities of SAS soldiers leaked in fresh data breach
  • UK sanctions Russian cyber spies accused of facilitating murders
  • Michigan ‘ATM jackpotting’: Florida men allegedly forced machines to dispense $107K

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • British government reportedlu set to back down on secret iCloud backdoor after US pressure
  • Idaho agrees not to prosecute doctors for out-of-state abortion referrals
  • As companies race to add AI, terms of service changes are going to freak a lot of people out. Think twice before granting consent!
  • Uganda orders Google to register as a data-controller within 30 days after landmark privacy ruling
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.