Misconfigured Webpage Exposed Patient Data

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

Patient data exposed
Inmediata Health Group, Corp., a provider of clearinghouse services, software, and business processing solutions to health plans, hospitals, IPAs, and independent physicians recently announced a security incident affecting some customer data.

The incident was discovered in January 2019 when Inmediata found a misconfigured webpage was allowing some electronic health information to be viewed publicly. The webpage was allowing search engines to index Inmediata’s internal webpages that were used for business operations and not intended for public view.

What was exposed?
The health information involved in this incident includes patients’ names, dates of birth, genders, and medical claims information, with some affected individuals, potentially having their Social Security numbers exposed.

There is currently no information available on how many individuals were affected and how long the webpage was publicly accessible.

Inmediata’s next steps
Once Inmediata became aware of the incident, the misconfigured webpage was deactivated, and a computer forensics company was engaged to assist with the investigation.

At this time, there is no evidence to suggest the exposed information was subjected to unauthorized access or misuse, however, the possibility could not be ruled out.

Inmediata began notifying affected individuals by mail on April 22, 2019. The notification letters included information about the incident and steps the affected individuals should take to monitor and protect their personal information.

Verify you’re working with HIPAA compliant vendors
This breach serves as an important reminder that it’s not always the Covered Entity that causes a data breach.

It is critical to ensure you are working with vendors who are taking the appropriate measures to protect your patient data, and that you have a Business Associate Agreement in place with those vendors from the start of your contract with them.

In addition, you should verify your Business Associates (BAs) are ensuring their own HIPAA compliance on an annual basis. One way of doing this is by sending your BAs a compliance check. If you’re working with compliant vendors, they should be happy to respond to your request.

If you find you’re working with a non-compliant vendor, it may be time to rethink your relationship with them. After all, a data breach caused by them has a direct impact on you.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.