Yesterday, DataBreaches.net reported on a misconfigured rsync backup that had been detected by Kromtech Security. The security firm had contacted DataBreaches.net for notification assistance on May 3 after unsuccessfully trying to notify iHealth Innovations that patient data from Bronx-Lebanon Hospital Center could be accessed and downloaded without any login required.
One week later, we still do not have answers to some pretty basic questions – like why iHealth Innovations actually needs all those sensitive records and details, but Mary Emily O’Hara of NBC News estimates that at least 7,000 patients had their data exposed.
Last night, a spokesperson for iHealth Innovations contacted DataBreaches.net and asked that we report the following statement:
iHealth Innovations and Bronx-Lebanon Hospital Center recently became aware that a single individual gained unapproved access to certain Bronx-Lebanon Hospital data. The privacy and security of patient information is a top priority and, upon learning of the unapproved access, iHealth immediately took several proactive steps to identify and remediate the issue. These steps include launching a comprehensive internal review to identify the scope of the event and necessary remediation measures, and engaging a leading IT security firm to investigate the matter.
While iHealth continues to work with a leading IT security firm to validate its analysis, at this time, iHealth believes that the issue has been contained. iHealth has no indication that any data has been used inappropriately. That said, iHealth and Bronx-Lebanon Hospital Center are continuing to take the appropriate steps needed to safeguard patient information and enhance data security policies and procedures.
iHealth did not respond to the questions I sent them in response to their statement, which included a question as to whether they or BLHC had asked Kromtech Security whether they would delete or securely destroy the patient data they had downloaded.
Note that on the one hand, iHealth does not blatantly “shoot the messenger” by claiming that Kromtech Security “hacked” them, but by the same token, iHealth does not actually admit that they made a mistake and left the data open to anyone who wished to download it. For its part, the hospital, which had declined to give DataBreaches.net any kind of substantive statement, reportedly told NBC News via email that their vendor had been “hacked:”
“iHealth Solutions, Inc. (iHealth) confirmed to Bronx-Lebanon Hospital Center that an iHealth server containing hospital data was the target of an unauthorized hack by a third party. The hospital and its vendor, iHealth, took immediate steps to protect the data,” the hospital said in a statement via email.
A “hack?” No. Maybe Bronx-Lebanon Hospital misunderstood what iHealth Innovations was reporting, or maybe their vendor somewhat suggested a hack where there was none. Either way, though, this was not a hack.
DataBreaches.net asked Kromtech Security for their comments on iHealth’s statement, and was sent the following statement by the German security firm:
As we recently reported, iHealth Innovations and Bronx-Lebanon Hospital Center exposed sensitive data to the public internet with no measures of authentication in place. Promoting good cyber-hygiene is in the interest of the Kromtech Security Research Center. During the course of our research we regularly download large collections of publicly available data for purposes such as accurately reporting on the scope of a breach as well as basic custodial verification. The exposed data was given the same treatment as any other discovery. As soon as we seen how sensitive the exposed data is and who can be the owner of the databse, we immediately sent the data exposure notification email and when we did not hear anything back we co-operated with an investigative journalist from databreaches.net who greatly assisted in reaching out to the responsible parties. There has been no improper usage of this data by the Kromtech Security Research Center.
However, seeing as the data was exposed by an improper configuration, it is entirely possible that someone outside of the Kromtech Security Research Center could have also come across the data and possibility downloaded it.
We respect the sanctity of data that arises from our findings and wish nothing more than to cooperate in good spirit and offer the reasonable assurances that are within our control.
The research we conduct is well within the established legal limitations and is not exploitative nor does it circumvent passwords in any sense.
Calling this situation a “hack” is like claiming to be a victim of a “burglary” when a) your garage door was left open for months, b) you didn’t read the monthly Neighborhood Watch newsletters warning you to secure your garage doors, and c) the neighbor who pointed out “your garage door is open and I just saw some guy just wheeling your lawnmower down the street” was ignored.
So my first thought was: I didn’t even know you could setup rsync this way. But yes you can and there are a bunch of people asking how to and getting it explained to them. And they are being told how bad of an idea this is.
Next thought, will this get reported as a Data Breach? “The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.” They have no way of knowing if that data has been seen by third parties or not.
AFAIK, they should be able to determine accesses/downloads to their backup server.
And HIPAA doesn’t require notification in all cases. Remember that there has to be a risk assessment as part of that determination. If they can show it was just one IP address, and that IP address is Kromtech’s and there’s low probability of misuse/exposure, then….. ?
But then again: how can they be sure of low risk/misuse if: (1) they don’t know whether Kromtech has secured it or destroyed what they downloaded, and (2) they don’t know who else Kromtech shared data with and whether those recipients (including THIS site) may use or misuse the data.
I was surprised that neither iHealth nor the hospital seems to have asked Kromtech or this site whether we would destroy the data. Nor did they ask if/how we were securing any data.
And then THIS happened: the NBC reporter contacted one of the patients and interviewed her on-air. So does that make this a breach requiring notification? I would think that it does.