Silver Spring, MD-based gastroenterology group Capital Digestive Care has announced that one of its business associates distributed files to a commercial cloud server that dd not have adequate security measures, exposing the protected health information of approximately 17,639 clients.
The exposure was brought to the attention of Capital Digestive Care on February 23, 2018 and were quickly put in place to secure the files and prevent unpermitted access.
A investigation into the privacy breach was kicked off to deduce the range of information that had been accessed and the number of patients impacted.
The review showed that some sensitive data had been obtained, although the breach was restricted to individuals that had visited its website and filed information via the Schedule a Visit and Contact pages via the website.
The range of data exposed was restricted to names, addresses, email addresses, telephone details and dates of birth. Clients may also have had a restricted amount of health information obtained. The login web page to the patient portal and the Pay a Bill pages were not impacted, so no financial information was obtained. No patient accounts were affected and Social Security information and electronic health records remained secure indefinitely.
Capital Digestive Care has implemented extra security tactics to block PHI violations. All external vendors must now prove compliance with HIPAA Security Rule provisions in relation to the secure storage of personal information.
All patients impacted by the breach have been made aware of it via mail and provided with data on monitoring and protecting their personal data. It has not been revealed how long patient data was exposed for and how many unauthorized individuals accessed patient data.
Capital Digestive Care has not been made aware of any exposed information being intercepted obtained by unauthorized parties.