Aaron Titus, chief privacy officer for Identity Finder, a security software firm, routinely does keyword searches on various search engines to look for vulnerable patient information. He says the approach he takes is to "start thinking like a lazy identity thief searching for large amounts of information."
So he manually punches in searches for key words, such as SSN, Social Security number, and common names of individuals, and looks for Microsoft Excel files and others that could contain large amounts of information. He then uses his firm's data loss prevention software to pinpoint whether the identified files actually contain sensitive data. When he makes a discovery, Titus contacts the organization involved and offers to help it remediate the problem free of charge.
You need to be aware of what information is available on your servers, and you need to understand that data security is much more than simply venting unauthorized access.
During just such an exercise this spring, Titus discovered a database of about 300,000 names and Social Security numbers that was publicly accessible on a website of Southern California Medical-Legal Consultants, which represents medical providers in recoveries from workers' compensation insurers. The database included information on those who had applied for California workers' compensation benefits. The information was neither encrypted nor password-protected, and some of the information was cached by at least one search engine, Titus determined.
Southern California Medical-Legal Consultants restricted access to the files within minutes of being notified of the problem, Titus stresses. In a press release, the Southern California firm said it notified anyone who could have been affected by the potential breach. (But the incident has not yet been listed on the official federal tally of major health information breaches.) It's unclear how long the information was exposed on the web.
Identity Finder worked with the Southern California firm, at no charge, to help it secure the information, Titus says.
Joel Hecht, who owns Southern California Medical-Legal Consultants, said in the release that the database was stored on a computer that was "intended for internal purposes only and not linked to or accessible from, any of the company's web pages." He added: "Unfortunately, our internal security policies and procedures were not followed. We were notified, we took immediate steps to remediate the situation and we are taking long-term measures to ensure that nothing like this ever happens again." Hecht was unavailable for further comment.
Lesson to be LearnedSo what's the lesson to be learned here? "You need to be aware of what information is available on your servers, and you need to understand that data security is much more than simply venting unauthorized access," Titus says. "This breach, and others like it, don't happen because of hacks. They happen because employees ... make a mistake or don't follow internal protocols."
Todd Feinman, CEO at Identity Finder, says all companies, in healthcare and other sectors, "need to do a better job of managing their data." That includes tracking down, for example, all the locations where protected health information is stored and encrypting all sensitive information.
This is not the first time we've reported on an incident involving patient data being exposed on the web. For example, WellPoint, a health insurer, has been dealing with two legal actions in the aftermath of an incident involving patient information that was accessible through an insurance application tracker website (see: WellPoint Class Action Settlement Near).
So if you want to keep your organization out of the headlines, don't delay; make sure you know where all protected health information resides, and take adequate precautions to protect it.