DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

No need to hack when 682,000 medical records are leaking, Monday edition

Posted on March 27, 2023 by Dissent

On March 15, DataBreaches was contacted by a researcher who had found  a “bunch of medical docs.” The files included patient intake evaluations, laboratory results, medical records requests, insurance information forms, treatment or consultation notes, and other files you would expect to see in a patient’s records. The patients all appeared to be in Texas, and there were almost 683,000 files.

When the researcher couldn’t determine who owned the data, they requested DataBreaches’ help. The researcher’s confusion was understandable. There appeared to be scanned documents from numerous doctors and medical groups, although certain names cropped up more than others.  Most of the files were scanned pdf files and many were more than a decade old. The most recent files appeared to be dated in 2018 or so.

A Google search showed that one doctor, whose name appeared frequently, was still in practice in Texas at the same address that appeared on some of the letterhead correspondence. Researching the blob’s name led to a business with the same distinctive name as the blob. The business’s website was no longer online, but a copy could be found on archive.org.  The business owner was the same doctor that DataBreaches hypothesized might own the data in the blob.

Last Monday, DataBreaches sent a contact form message and then called Rakesh Patel, D.O. at the Endocrine and Psychiatry Center. The employee DataBreaches spoke to denied that they used that blob for storage, but DataBreaches insisted she tell the doctor that a blob with that name and files with his letterhead had been found exposed. DataBreaches left this site’s phone number with the employee for a callback from the doctor.

By approximately 24 hours after leaving that message, the blob was no longer available online, but there has been no callback.

Does Dr. Patel know how many IP addresses accessed and downloaded patient files? DataBreaches has no idea, but DataBreaches does know that protected health information was both accessed and acquired, making this a reportable breach under HIPAA.  So is Dr. Patel planning on notifying the almost 683,000 patients whose files were in the blob? Is he planning on notifying HHS or any regulators?  Time will tell.

Old, but Sensitive Data

The following are redacted snippets from a 5-page file for a new psychiatry patient. It  was completed in 2006 when the patient was 24 years old and seeking treatment for self-reported ADHD, anxiety, and depression.

The intake included the usual demographic information with date of birth and full Social Security number (full SSN was commonly collected back then). The doctor also reviewed his history of symptoms, the patient’s current and past medications and reactions to them, any other medical problems or significant health history, family psychiatric history, a patient-completed mood inventory checklist and a patient-completed checklist about symptoms related to adult ADHD.  And of course, there was a social section of the intake where the patient reported his marital status, current employment and employment history, any children, and any arrest history (he had one).

So not only was the sensitive information provided by a named patient in 2006 publicly accessible in 2023 to anyone who wanted to download it, but his records also revealed to the world his family members’ psychiatric history.

The screencaps below were just part of the first page of the 5-page file. They have been redacted by DataBreaches. Some information was not redacted because it is actually fairly common and would not enable identification of any one individual patient (e.g., having ADHD in conjunction with anxiety and depression is fairly common and a

 

Would that individual want all that past information about them and their family left publicly available with no authorization required to access it? And what about the risk of becoming a victim of fraud or ID theft due to the exposure of their name, date of birth, and full Social Security number?

It has only been one week since Dr. Patel was alerted to the breach. It would be understandable if he was first investigating to determine the full scope of the breach and then to figure out what his notification obligations are under HIPAA and any state laws.

DataBreaches will continue to monitor this incident to see if it is disclosed by the doctor and reported to HHS in due course, but again notes that old protected health information should either be securely purged if it is no longer needed for the purpose for which it was collected, or if it is still needed, it should at least be adequately protected. Having more than 680,000 old files stored without encryption in an exposed container can be a very costly mistake.

 

Related posts:

  • Tabb Inc. Security Gaffe Exposes 200,000 Background Check Files for More Than Six Months (2)
  • New York medical practices hit by “Bl00dy Ransomware Gang”
  • Does claiming you were hacked when you had really just screwed up violate the FTC Act?
  • U.S. medical entities fall prey to Pysa threat actors, but many haven’t disclosed it – at least, not yet.
Category: Breach IncidentsExposureHealth DataU.S.

Post navigation

← Updating: Cyberattack against CHRU Brest: what happened
NYS Secures $200,000 from Law Firm for Failing to Protect New Yorkers’ Personal Data →

1 thought on “No need to hack when 682,000 medical records are leaking, Monday edition”

  1. Adjhat says:
    March 27, 2023 at 2:41 pm

    Great work!! WOW!!

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.