Misconfigured Security Settings Results in63,500 Middletown Medical Patients Having PHI Exposed

A security setting that was not configured properly on a radiology system has lead to  the patients’ protected health information of tens of thousands of patients of Middletown Medical, a multi-specialty physicians’ group based in Middleton, NY, The breach was first discovered on January 29, 2018.

On January 30 the interface was realigned that any unauthorized individuals could no longer obtain patient information. The length of time that the information was accessible remains unclear. The organization has revealed that just a limited number of patients’ PHI could have been downloaded by unauthorized persons.

Highly sensitive information including financial data, Social Security details, and insurance information were not downloaded. The breach included information such as names, client identification numbers, birth dates, confirmation that patients have received radiology services and the appointment details for those services. In addition a limited number of patients also had diagnosis codes, radiology images, and radiology reports downloaded.

The discovery of the mistake lead to Middletown Medical refreshing its polices and procedures to implement new safeguards to ensure the confidentiality of documents containing PHI. Further training has been provided to employees on securing information systems and amendment have been made to interfaces to ensure all information remains completely safe.

There has been no reports submitted detailing misuse of PHI. However, as an additional safeguard, all patients that may have been harmed by the breach have been offered complimentary identity theft recovery services for a period of 12 months and have been advised to carefully consider their account statements and Explanation of Benefits statements for any sign or fraudulent transactions.

The recorded Department of Health and Human Services’ Office for Civil Rights (OCR) data breach notification submitted stated that 63,551 patients had their PHI breached, meaning that this is one of the largest healthcare security incidents in 2018.

Author: Maria Perez