[BreachExchange] Kingman Regional website configuration exposed patient info

Destry Winant destry at riskbasedsecurity.com
Thu Jun 13 01:26:35 EDT 2019


https://www.healthdatamanagement.com/news/kingman-regional-website-configuration-exposed-patient-info

A misconfiguration on the website of Kingman (Ariz.) Regional Medical
Center posed a security vulnerability to the data of an estimated
1,100 patients.

However, executives contend that a potentially larger issue was
avoided because of a routine review of the site.

On April 9, Kingman Regional learned that it may have had a possible
security problem with its public website. The issue was found during a
regular internal check of the public website, a step that some other
providers may not take, says Teri Williams, director of communications
and marketing.

“Web platforms need to be looked at; other hospitals should examine
the security of their public websites,” she advises. The checking of
the website likely prevented a larger breach, she adds.

An outside forensics investigation found the configuration of the
website made it possible for one or more unauthorized persons to view
information entered into the website by patients.

The provider’s website resides on an isolated computer server that is
not connected to other information systems, Williams says. The website
enables patients to request appointments; the data of 1,100 patients
was potentially exposed.

Possibly compromised data included patient names, dates of birth and
information related to medical conditions for which patients were
requesting services. Patient medical records, Social Security numbers
and financial information were not compromised, Williams says.

Now, the website has been removed from public view, and Kingman
Regional is taking steps to rebuild the site with additional
safeguards.

The organization is advising affected individuals to review statements
they receive from their healthcare providers and contact a provider if
the statement shows services that were not received.


More information about the BreachExchange mailing list