A US orthopedic practice has admitted that patient healthcare information was inadvertently left on a server that anyone with an internet connection could access.
In a data breach notice, Mendelson Kornblum Orthopedic and Spine Specialists admitted that patient names, medical record numbers, dates of birth, gender, and medical image metadata were potentially exposed as a result of the data privacy lapse.
“The potentially viewable information did not include any medical images themselves, other diagnosis or treatment information, health insurance information, Social Security numbers, credit or debit card numbers, or financial account information,” the clinic stated in its notice.
Public-facing server
The issue was uncovered on January 5, since which the clinic has taken steps to bolster its security.
It’s unclear how long the problem existed before it was uncovered, much less whether anyone actually viewed the sensitive and confidential information on show.
The medical practice “identified and closed the vulnerability on the applicable server and reviewed and enhanced its existing security procedures to try to prevent similar incidents in the future” as well as notifying US regulators about the incident.
“Based on the findings of its investigation, the practice has no evidence of any misuse of any patient health information,” Mendelson Kornblum Orthopedic said, adding that it nonetheless advised its patients to remain vigilant and monitor their account statements and credit reports for any suspicious activity.
The Daily Swig asked Mendelson Kornblum Orthopedic how many patient records were potentially exposed by the incident.
No word back as yet from the clinic, but an entry on the US Department of Health and Human Services Office for Civil Rights breach report portal suggests that just under 29,900 patient records were caught up in the incident.