[BreachExchange] University of Chicago Medicine says some donor, patient information mistakenly exposed

Destry Winant destry at riskbasedsecurity.com
Thu Jun 6 09:37:21 EDT 2019


https://www.chicagotribune.com/business/ct-biz-university-of-chicago-data-exposed-20190604-story.html

The personal information of some University of Chicago donors and
patients was mistakenly exposed, the U. of C. health system has
confirmed.

University of Chicago Medicine acknowledged the data exposure in a
statement Monday after an independent security researcher notified it
of the problem. That researcher, Bob Diachenko, posted information
about the issue Monday on a cybersecurity news and consulting services
website and on Twitter.

The exposed information was part of a database that contained nearly
1.7 million records, Diachenko said.

U. of C. Medicine spokeswoman Ashley Heher said in an email Tuesday
that the database contained information from “substantially fewer
individuals” than 1.7 million, but declined to be more specific. One
person can be linked to more than one record.

U. of C. Medicine said in a statement that it is investigating the
matter but has determined that no unauthorized parties, beyond the
researcher, accessed the information. U. of C. Medicine said the
database has been secured, and that the researcher never downloaded
the full database and “only accessed a limited number of records.”

The exposure was the result of a vendor misconfiguring a server,
according to the statement.

Heher declined to say Tuesday what types of personal information may
have been compromised, but the health system said the database did not
contain detailed information from medical records. The compromised
data also did not include Social Security numbers, credit card numbers
or banking information, according to the health system.

“The University of Chicago and the University of Chicago Medical
Center take data privacy very seriously and work vigorously to protect
the confidentiality and security of sensitive information,” the health
system said in its statement.

Breaches involving the protected health information of 500 or more
people legally must be reported to the U.S. Department of Health and
Human Services Office for Civil Rights within 60 days from when the
breach is discovered. The Office for Civil Rights investigates such
breaches and can levy fines against health systems, depending on
severity.

In recent years, health systems across the country have been involved
in data breaches. More than 160 breaches involving 500 or more
individuals have been reported to the HHS Office for Civil Rights so
far this year, including six in Illinois.

Earlier this year, Rush disclosed that the personal information of
about 45,000 patients may have been compromised in a data breach. That
data did not include medical information, and Rush said, at the time,
that to its knowledge none of the information had been misused. Rush
said an employee of one of the hospital system's billing processing
vendors improperly disclosed a file to "an unauthorized party," likely
in May 2018, according to a letter sent to affected patients at the
time.

Diachenko is the founder of Security Discovery, which posts news about
data breaches and offers cybersecurity consulting and testing
services. Diachenko, who is based in Berlin and Kiev, said Security
Discovery is a nonprofit.

He said he and his team use search engines to look for data
vulnerabilities and then alert organizations when they’re found. He
said his primary goal is to increase cybersafety and educate
organizations and the public.


More information about the BreachExchange mailing list