DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Children’s National Medical Center blames former transcription vendor for privacy breach

Posted on May 10, 2016 by Dissent

In March, 2015, the D.C.-based Children’s National Medical Center  notified 18,000 patients of a breach that occurred between July 26, 2014 and December 26, 2014 after employees fell for phishing emails.  In May, 2015, they were sued over that breach.

Now, CNMC has disclosed another breach, this one involving a former vendor who provided medical transcription services. Their press release identifies the vendor as Ascend Healthcare Systems (Ascend), and states that Ascend provided services between May, 2014 and June 23, 2014.

 On February 25, 2016, Children’s National became aware that Ascend, an outside dictation vendor required under contract to maintain privacy of patient records, had inadvertently misconfigured a file site that contained patient information. This might have allowed access from the Internet to transcription documents for as many as 4,107 Children’s National patients via a File Transfer Protocol (FTP) server from February 19, 2016 to February 25, 2016.

CNMC states that the information in question did not contain billing or financial information or Social Security numbers, but patient data did include names, dates of birth, medication, and physicians’ notes regarding diagnosis and treatment. The exposure risk only impacted patients whose dictated notes were sent to Ascend for transcription between May 1 and June 23, 2014.

CNMC’s notice does not indicate how they became aware of the exposed data, but anyone googling a patient’s name might have come upon the data in search results and notified them. When CNMC did learn of the exposed files, they contacted Ascend.

Of note, according to CNMC, the data never should have been on Ascend’s FTP server in February, because CNMC terminated its contract with Ascend on June 23, 2014, and as part of the separation, “Ascend was contractually obligated to delete all Children’s patient information.”

As soon as the health system became aware of the issue, the transcription company, Ascend, was contacted and asked to re-secure the site and remove the transcription documents from the Ascend server. Children’s National is not aware of any unauthorized access to or misuse of these documents.

So  the vendor misconfigured their FTP server in February, 2016, and exposed protected health information that they had been obligated  to delete in June, 2014?  HHS should definitely investigate these allegations.

Ascend has sent no response as yet to an email inquiry from DataBreaches.net asking them how many other clients may have been impacted by the server misconfiguration, when and how the misconfiguration occurred, and whether they wished to respond to CNMC’s allegations that they were obligated to delete all the files back in 2014.  This post will be updated if more information becomes available.

Related posts:

  • NJ Settles Charges Against Business Associate Responsible for Virtua Medical Patient Data Breach: Vendor Owner Pays $200,000 and is Barred From Owning or Managing Any Business in NJ Again
  • NJ: Virtua Medical Group notifies 1,654 patients whose information was exposed on Internet (updated)
Category: Breach IncidentsExposureHealth DataOf NoteSubcontractorU.S.

Post navigation

← Ca: Law firm considers launching class action suit against Algonquin College over privacy breach
Ontario health privacy breach notification bill passes third reading →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.