New York medical records discovered on an unsecured server
unsecured database compensation claims

New York medical records discovered on an unsecured server

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Medical records are known to be a treasure trove for hackers. Once cyber-criminals have access to these, they can sell them on the black market for up to $10 (£7.67) per record, according to Anthony James at U.S. security firm, TrapX.

But it seems cyber-criminals don’t have to hack into computer systems to access records as a ‘huge trove’ of confidential U.S. medical records were found on an unsecured server; accessible to malicious hackers and cyber-security professionals.

Gizmodo reports that tens of thousands – if not millions – of medical records were contained within a database that was readily accessible to anyone who gained access to it. The information that was online included New York patients’ demographic information, social security numbers, records of medical diagnoses, and treatments. There were also large amounts of other highly-sensitive records accessible. The files were reported to have originated from Bronx-Lebanon Hospital Centre in New York.

Malicious hacker or mistake of the hospital?

NBC News highlighted that the Bronx Lebanon Hospital said the medical records were the “target of an unauthorised hack by a third party”. This conclusion was drawn from the hospital’s third party vendor, iHealth Solutions. According to the hospital, iHealth took immediate steps to protect the medical records and both parties are “cooperating fully with law enforcement agencies”.

According to Kromtech Security Centre, a German security software development firm, the hospital and their vendor had in fact lied about it being as a result of a malicious cyber-hack. Instead, Kromtech’s analysis contends that the medical records were left unprotected on a backup storage device that wasn’t password protected. They also say that the records weren’t protected by an active firewall. A firewall can establish a barrier between a trusted, secure and internal network and another outside network which is considered as unsecure and untrusted. Without an active firewall, this can make thousands of patients vulnerable i.e. through identity theft and blackmail.

A big mistake for a hospital to make.

The leaked files have been secured now, but the data contained a number of intake forms for those who were enrolling onto the chemical dependency programmes for substance abuse. The security researchers who found the data told Gizmodo:

“… [the data] paints a full picture of the patient’s drug use, medical history and suicidal thoughts.”

This is most certainly private and sensitive information and would fall under a breach of the Data Protection Act (DPA) in the U.K.

Violation of HIPAA

Kromtech were the first cyber-security firm that discovered the cache when they conducted an independent security audit. Though the hospital and iHealth maintains that they were a victim of a cyber-attack, forensic evidence from Kromtech’s investigations give a different story. If Kromtech’s findings are true, iHealth may be in serious violation of laws that govern the security standards for the protection of electronic health information.

Many data laws require healthcare providers to implement mechanisms to encrypt confidential medical data; protect it from alteration or destruction; and to “guard against unauthorised access to electronic protected health information that is being transmitted over an electronic communications network“.

The hospital and iHealth action/inaction may breach this provision if they failed to encrypt the hard drive. Thus we can see why the hospital and iHealth may want to ‘cover up’ their failure to protect their patient’s records; if, indeed, that is what happened.

Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.Information on how we handle your data is available in our Privacy Policy.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Contact is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon