Boston Medical Center contractor posts 15,000 patients’ e-records and demographics online

The teaching hospital fired third-party vendor MDF Transcription after discovering the company uploaded the data to the vendor's website with no password protection. 

Hospital officials said they are not sure how long the information had been posted publicly. The medical center had been working with the vendor for a decade.

Boston Medical Center was notified on March 4 by another healthcare provider that MDF Transcription and its subcontractors "had incorrectly posted BMC physician office visit notes to the MDF website without password protection," a hospital spokeswoman told Information Security Media Group. "We immediately informed MDF and its subcontractors of this error and the website was removed from the Internet on the same day.”

Physicians routinely record audio notes about patient visits and then have the notes transcribed so they can be added to electronic medical records.

"Several physicians at BMC utilized MDF to transcribe their notes. Once transcribed, these notes were made accessible to physicians by MDF through an online site administered by subcontractors of MDF," the spokeswoman said. "Unfortunately in this instance the information was not password protected by MDF and its subcontractors."

Between 25 percent and 27 percent of all health privacy law breaches involve a business associate, according to the Health and Human Services Department.

ThreatWatch is a regularly updated catalog of data breaches successfully striking every sector of the globe, as reported by journalists, researchers and the victims themselves.