[BreachExchange] Hepatitis Patients' Data Exposed

[Destry Winant]

https://www.databreachtoday.com/hepatitis-patients-data-exposed-a-13241

The Philadelphia Department of Public Health inadvertently exposed on
its website the records of thousands of hepatitis patients, according
to a local news report.

The data exposure incident points to the need for better staff
training, says Paul Hales, an independent HIPAA attorney. "Staff must
be trained to protect health information privacy and properly
supervised," he says. "Ultimately the fault lies with senior
management and governing boards who are responsible for compliance
within their organization."

The Philadelphia Inquirer reports that one of its reporters on Oct. 11
discovered the accessible health department data, which included
reports of patients diagnosed with hepatitis B or C from 2013 to 2018.

"The reporter discovered the accessible data, which in one case
included 23,000 individual records of new cases of hepatitis C," the
newspaper reports.

The Inquirer said it notified the city's health department, which
immediately removed the data from its website. The newspaper says it
did not download or preserve the data. "Information included each
patient's name, gender, date of birth, address and test results, and
in some cases, Social Security numbers and notes by health providers,"
it reports.

It remains unclear how long the data was accessible or what led to it
being exposed.

In a statement provided on Monday to Information Security Media Group,
the Philadelphia department of public health says it was notified on
Oct. 11 that personal health information was available for download on
one of the departments webpages. "The information was removed
immediately. Since that time, the health department had been working
with the vendor and city officials to find out what data was
potentially exposed, how many people's records were exposed, and what
actions are required be done in response to the exposure," the
statement says.

In the meantime, the health department is undergoing assessing all
data available on the website to ensure no other personal information
is available and reviewing data presentation policies to prevent other
data exposure incidents, the statement says. "As we learn more about
what happened and who was affected, we will take appropriate actions."

Misconfigured Settings

The Philadelphia mishap appears to have similarities to a number of
other major healthcare data breaches involving misconfigured IT
settings.

For instance, among some of the largest health data breaches posted so
far this year to HHS' HIPAA Breach Reporting Tool website was an
incident reported in April by Inmediata Health Group. In that
incident, the Puerto Rico-based clearinghouse and cloud software
services provider said a misconfigured webpage setting potentially
exposed protected health information of 1.56 million individuals.

Also, in February, Seattle, Washington-based healthcare system UW
Medicine reported to HHS an incident involving a database coding error
that exposed PHI of more than 973,000 individuals to internet search
engines.

Other Health Department Breaches

Several data breaches involving state government health agencies have
been reported to the U.S. Department of Health and Human Services over
the years.

Those include a 2014 incident reported by the Montana Department of
Public Health and Human Services that affected more than 1.3 million
individuals.

And earlier this year, the Alaska Department of Health and Social
Services said it was notifying more than 700,000 individuals of a 2018
incident that was initially reported to federal regulators as
affecting only 501 individuals.

Sensitive Data Exposures

Like the breach of hepatitis patients' data in Philadelphia, many
other health data breaches have involved exposure of particularly
sensitive data.

For instance, health insurer Aetna has paid several financial
settlements related to a mailing envelop incident in 2017 that
revealed HIV-related drug information of about 12,000 health plan
members.

A multistate investigation by the attorneys general of several states
ended last year with Aetna signing a financial settlement agreement
with Washington, D.C., for $175,000, Connecticut for $100,000 and New
Jersey for $365,000, as well as a settlement with the state of
Washington, for which the amount was undisclosed.

Those settlements were in addition to a separate $1.15 million
settlement Aetna signed with the New York state attorney general's
office last year, and also a $1 million settlement earlier this year
with the attorney general of California.

On top of those settlements, in 2018 Aetna also signed a $17.2 million
settlement of a class action lawsuit filed against the company related
to that HIV data breach.