Jeremiah Fowler reports:
On March 1st I discovered a non-password protected database that contained what appeared to be medical case files. I immediately notified the organization that we suspected was responsible based on information found inside the database. It was a Friday evening and the phone went straight to voice mail, leaving the database wide open and publicly accessible until Monday, March 4th when a followup determined that access had finally been restricted. It is unclear how long this data may have been exposed or who else may have had access to these highly sensitive medical records.
This discovery contained the records of an estimated 37,000 people who’s data has been potentially compromised in an alleged data breach involving New Jersey based Home Health Radiology Services LLC. These records contained names, date of birth, phone numbers, addresses, diagnoses, notes, and we even saw Social Security Numbers (SSN).
Read more on Security Discovery.
A lot of researchers do not seem to understand the realities of incident response in terms of HIPAA’s reporting requirements. If the researcher reported the discovery to the provider on March 1, there is pretty much no way that the company would have reported it to HHS/OCR by March 18. And as to the NJ state law, I would guess that the entity has to notify the state police, but whether they have to notify consumers or not may depend on what their logs show. Can they show that the researcher was the only one to access the records? If so, they might argue that there is no need to notify because there is no harm to consumers….? I’m really not sure, but I do think it’s unrealistic to expect notification so quickly under U.S. laws. Now under GDPR, we have a different story…..