Arc of Erie County New York Reports that 3,751 Patients’ PHI Was Exposed on Internet in 30-Month Period

A provider of person-centered services to individuals with developmental disabilities, The Arc of Erie County New York (The Arc), has reported that two spreadsheets listing the protected health information of 3,751 patients were open to the public via the Internet without the need for authentication for a time period of longer than 30 months from July 2015 to February 2018.

The two spreadsheets in question could be seen through the Internet by unauthorized individuals as a consequence of incorrect coding on the website. The error meant that  link published on the website brought views to a page where the spreadsheets to be accessed by anyone who logged on.

Those that suffered harm due to the breach, the majority of whom are developmentally disabled, had been enlisted in certain programs provided by The Arc. The Arc spreadsheets listed sensitive information including, but not limited to, names, Social Security numbers and diagnosis codes.

Upon finding the error in February 2018, The Arc deleted the link to stop the access to the spreadsheets and brought in team of forensic computing experts and data security firm to delve into the breach and help take action to limit the harm caused to patients going forward. The Arc has also made contact with search engine browser providers to make sure that any reference or links to the information is permanently deleted from the search engine results pages. There is no evidence to suggest that the spreadsheets were accessed by unauthorized individuals or if it any PHI has been viewed or copied, nor is there anything that would allow it to be eliminated as a possibility.

Anyone affected by the breach has been contacted and offered the chance to avail of free credit monitoring and identity theft protection services for the next year.

To eliminate any additional privacy breaches, The Arc has amended its policies and practices and enhanced its privacy and data security procedures. Extra additional training classed have also been given to the relevant staff.

Author: Security News