Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.
Medical records are known to be a treasure trove for hackers. Once cyber-criminals have access to these, they can sell them on the black market for up to $10 (£7.67) per record, according to Anthony James at U.S. security firm, TrapX.
But it seems cyber-criminals don’t have to hack into computer systems to access records as a ‘huge trove’ of confidential U.S. medical records were found on an unsecured server; accessible to malicious hackers and cyber-security professionals.
Gizmodo reports that tens of thousands – if not millions – of medical records were contained within a database that was readily accessible to anyone who gained access to it. The information that was online included New York patients’ demographic information, social security numbers, records of medical diagnoses, and treatments. There were also large amounts of other highly-sensitive records accessible. The files were reported to have originated from Bronx-Lebanon Hospital Centre in New York.
NBC News highlighted that the Bronx Lebanon Hospital said the medical records were the “target of an unauthorised hack by a third party”. This conclusion was drawn from the hospital’s third party vendor, iHealth Solutions. According to the hospital, iHealth took immediate steps to protect the medical records and both parties are “cooperating fully with law enforcement agencies”.
According to Kromtech Security Centre, a German security software development firm, the hospital and their vendor had in fact lied about it being as a result of a malicious cyber-hack. Instead, Kromtech’s analysis contends that the medical records were left unprotected on a backup storage device that wasn’t password protected. They also say that the records weren’t protected by an active firewall. A firewall can establish a barrier between a trusted, secure and internal network and another outside network which is considered as unsecure and untrusted. Without an active firewall, this can make thousands of patients vulnerable i.e. through identity theft and blackmail.
A big mistake for a hospital to make.
The leaked files have been secured now, but the data contained a number of intake forms for those who were enrolling onto the chemical dependency programmes for substance abuse. The security researchers who found the data told Gizmodo:
“… [the data] paints a full picture of the patient’s drug use, medical history and suicidal thoughts.”
This is most certainly private and sensitive information and would fall under a breach of the Data Protection Act (DPA) in the U.K.
Kromtech were the first cyber-security firm that discovered the cache when they conducted an independent security audit. Though the hospital and iHealth maintains that they were a victim of a cyber-attack, forensic evidence from Kromtech’s investigations give a different story. If Kromtech’s findings are true, iHealth may be in serious violation of laws that govern the security standards for the protection of electronic health information.
Many data laws require healthcare providers to implement mechanisms to encrypt confidential medical data; protect it from alteration or destruction; and to “guard against unauthorised access to electronic protected health information that is being transmitted over an electronic communications network“.
The hospital and iHealth action/inaction may breach this provision if they failed to encrypt the hard drive. Thus we can see why the hospital and iHealth may want to ‘cover up’ their failure to protect their patient’s records; if, indeed, that is what happened.
The content of this post/page was considered accurate at the time of the original posting and/or at the time of any posted revision. The content of this page may, therefore, be out of date. The information contained within this page does not constitute legal advice. Any reliance you place on the information contained within this page is done so at your own risk.
EasyJet admits data of nine million hacked
British Airways data breach: How to claim up to £6,000 compensation
Are you owed £5,000 for the Virgin Media data breach?
Virgin Media faces £4.5 BILLION in compensation payouts
BA customers given final deadline to claim compensation for data breach
Shoppers slam Morrisons after loyalty points stolen
Half a million customers can sue BA over huge data breach
Lawyers accuse BA of 'swerving responsibility' for data breach
The biggest data breaches of 2020
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.