In a recent statement the gastroenterology group Capital Digestive Care, based in Silver Spring, Maryland, announced that they have discovered a data breach in their company. They announced that one of its business associates uploaded files to a commercial cloud server that lacked appropriate security controls, resulting in the exposure of the protected health information (PHI) of up to 17,639 patients.
In their statement, they said that availability of sensitive data belonging to their patients online was brought to the attention of Capital Digestive Care on February 23, 2018. The company promptly took action to secure the files and secure their systems to prevent further unauthorized individuals gaining access.
The company launched an investigation into the privacy breach to determine the types of information that had been exposed, the number of patients impacted, and if the information had been used for malicious purposes.
The investigation confirmed some sensitive data had been exposed, although the breach was limited to individuals that had visited its website and submitted information via the Schedule a Visit and Contact pages on the site. The information that had been gathered by different means remained secure, including financial information input into the Pay a Bill page on the website.
The types of information exposed was limited to names, addresses, email addresses, telephone numbers, and birth dates. Patients may also have had a limited amount of health information exposed. No patient accounts were compromised and the integrity of Social Security numbers and electronic health records was maintained.
In response to the breach, Capital Digestive Care has taken steps to prevent unauthorized access of PHI. All third-party vendors are now required to confirm compliance with HIPAA Security Rule provisions concerning the secure storage of personal data.
In accordance with HIPAA Breach Notification Rules, patients impacted by the incident have been notified by mail. Capital Digestive Care has provided those affected with information on monitoring and protecting their personal information.
It is unclear for how long patient data were exposed and how many unauthorized individuals viewed patient information. Capital Digestive Care has not received any reports to suggest the exposed information has been obtained by unauthorized individuals or misused.