Threatwatch

Mental health and developmental disability patient data visible on Google for 10 months

Accidentally leaked credentials; Data dump; Insider attack

A hardware upgrade at Supportive Concepts for Families in Reading, Pa. left consumer information organized in an internal database exposed on Google. No login credentials were required to see the records.

“They have posted a notice dated February 13, 2014 on their site, although it is not linked from their homepage, and you’d have to search under their HIPAA section of their site to find it,” PHIprivacy.net reports, referring to the 1996 Health Insurance Portability and Accountability Act.

The information that appeared included names, addresses, social security numbers, dates of birth, dates of service, and consumer service notes entered by employees.

Supportive Concepts officials found “a few instances” in which unidentified users accessed the data.

The company’s notice states that Supportive Concepts “learned that the health information in our internal database was available on the internet by a Google search using the terms ‘Supportive Concepts for Families’ and consumer first and last name.”  The notice added that, during the system upgrade, “some of the portal’s security settings were not properly set.”

The company told the Health and Human Services Department that the breach affected 593 clients.

ThreatWatch is a regularly updated catalog of data breaches successfully striking every sector of the globe, as reported by journalists, researchers and the victims themselves. 

sector

Healthcare and Public Health

reported

February 24, 2014

reported by

PHIprivacy.net

number affected

593 patients

location of breach

Pennsylvania, United States

perpetrators

Employees

location of perpetrators

Pennsylvania, United States

date breach occurred

February 2013

date breach detected

December 16, 2013