In March, 2015, the D.C.-based Children’s National Medical Center notified 18,000 patients of a breach that occurred between July 26, 2014 and December 26, 2014 after employees fell for phishing emails. In May, 2015, they were sued over that breach.
Now, CNMC has disclosed another breach, this one involving a former vendor who provided medical transcription services. Their press release identifies the vendor as Ascend Healthcare Systems (Ascend), and states that Ascend provided services between May, 2014 and June 23, 2014.
On February 25, 2016, Children’s National became aware that Ascend, an outside dictation vendor required under contract to maintain privacy of patient records, had inadvertently misconfigured a file site that contained patient information. This might have allowed access from the Internet to transcription documents for as many as 4,107 Children’s National patients via a File Transfer Protocol (FTP) server from February 19, 2016 to February 25, 2016.
CNMC states that the information in question did not contain billing or financial information or Social Security numbers, but patient data did include names, dates of birth, medication, and physicians’ notes regarding diagnosis and treatment. The exposure risk only impacted patients whose dictated notes were sent to Ascend for transcription between May 1 and June 23, 2014.
CNMC’s notice does not indicate how they became aware of the exposed data, but anyone googling a patient’s name might have come upon the data in search results and notified them. When CNMC did learn of the exposed files, they contacted Ascend.
Of note, according to CNMC, the data never should have been on Ascend’s FTP server in February, because CNMC terminated its contract with Ascend on June 23, 2014, and as part of the separation, “Ascend was contractually obligated to delete all Children’s patient information.”
As soon as the health system became aware of the issue, the transcription company, Ascend, was contacted and asked to re-secure the site and remove the transcription documents from the Ascend server. Children’s National is not aware of any unauthorized access to or misuse of these documents.
So the vendor misconfigured their FTP server in February, 2016, and exposed protected health information that they had been obligated to delete in June, 2014? HHS should definitely investigate these allegations.
Ascend has sent no response as yet to an email inquiry from DataBreaches.net asking them how many other clients may have been impacted by the server misconfiguration, when and how the misconfiguration occurred, and whether they wished to respond to CNMC’s allegations that they were obligated to delete all the files back in 2014. This post will be updated if more information becomes available.