A notification by Guardant Health, Inc. in California (“Guardant”) caught DataBreaches’ eye yesterday.
Guardant is a laboratory that performs cancer screening tests on samples received from its physician and hospital partners. Patient information that they received may have been inadvertently exposed between October 5, 2020 and February 29, 2024.
They explain:
Guardant recently determined that a file containing certain personal information related to samples collected in late 2019 and 2020 was inadvertently made available in a publicly accessible online platform. Guardant promptly removed the file from the online platform and initiated an investigation. The investigation revealed that a Guardant employee inadvertently transferred the file to the platform. The file was believed to have been transferred in October 2020, and on March 4, 2024, we were able to determine, based on a review of available records of activity, that the file was copied by unidentified third parties between September 8, 2023 and February 28, 2024.
They do not explain whether their access logs went back to October 2020 or if they were unable to determine if there was any access prior to September 8, 2023. Nor do they explain why it took them almost six months to discover that the file was being accessed by unidentified parties.
The information contained in the file varied per individual but may have included some or all of the following: names, ages, medical record and identification numbers, and medical information such as treatment information and dates, and test results. Significantly, no financial information or Social Security numbers were contained in the file.
They add:
As general good practice, it is recommended that you regularly monitor statements from your medical providers for any irregularities.
It’s also generally good practice to monitor and audit your system and files. How did this error go undetected for more than three years?
Their notification, submitted to the California Attorney General’s Office, does not disclose how many patients had data accessed by unidentified third parties. The incident has not yet appeared on HHS’s public breach tool.
DataBreaches contacted Guardant yesterday seeking additional details and an explanation of why the error went undetected for more than three years. No reply has been received by publication.