While this blog post provides a description of a data exposure discovery involving Cohen Bergman Klepper Romano Mds PC, this is no longer an active data breach. As soon as the UpGuard Cyber Risk Team notified Accenture of this publicly exposed information, immediate action was taken, securing the open buckets and preventing further access.
The UpGuard Cyber Risk Team can now confirm that a digital data repository containing records from a Long Island medical practice was left publicly accessible, revealing medical details and personally identifiable information (PII) for over forty-two thousand patients. As detailed here and at databreaches.net, this data exposure appears to originate from Cohen Bergman Klepper Romano Mds PC, a Huntington, New York practice specializing in internal medicine and cardiovascular health, revealing such details as patient names, Social Security numbers, dates of birth, phone numbers, insurance information, and more.
The presence of physicians’ personal information in the files, such as their Social Security numbers and addresses, as well as over three million “medical notes,” each one a physician’s observation of a patient – such as a blood pressure measurement or a comment about a patient’s reflexes – further widens the exposure’s reach. This incident highlights the importance of securing digital assets which could result in the leak of protected medical information, particularly for smaller organizations like medical practices that generate such sensitive data.
The Discovery
On January 25th, 2018, UpGuard Director of Cyber Risk Research Chris Vickery discovered an exposed port within IT systems containing data involving the medical office. The exposed port in question, port 873, is typically used for rsync, or “remote synchronization,” a utility typically used to copy data from one machine to another.
While rsync can be secured against public access by employing the utility’s “hosts allow/deny” functions, it can also be configured for global access, allowing anyone to access the information knowing only the server’s IP address. In this case, lacking the protection provided by a directive to only allow particular IP addresses to access the rsync server, the repository was exposed to anyone who happened across it.
Revealed within were two sections titled “backupwscohen” and “backupsrvcohen.” Of the two partitioned areas, only “backupwscohen” was configured to be publicly accessible. Contained in this area are a number of files containing sensitive data. One of them is an Outlook backup saved as a .pst file, containing a large number of apparent email communications, while a virtual hard drive stored within the repository holds a number of documents about office staff. Staff home addresses, spousal details, and even the names of their children are revealed, and in at least one instance, the Social Security numbers for all family members.
A folder titled “TPSData” contains the largest amount of patient information, stored in a database across a number of tables. One table, titled “pracperson,” contains over forty-two thousand names. Taken together, the tables reveal Social Security numbers, dates of birth, phone numbers, email addresses, ethnicities, and insurance policy information. Perhaps most troubling is the presence in one table of over three million medical notes – each one a specific observation of an individual’s condition.
The Significance
The exposure of personally identifiable information about tens of thousands of individuals raises serious questions about how privileged medical information is secured on digital systems. While HIPAA regulations mandate the secure storage of patient records, PII, and medical information, this leak provides a vivid example of how easily such requirements can go unmet if technical errors go uncorrected.
Redacted image of “Person” data including LastName, FirstName, MiddleName, NameSuffix, SortName, SSN, Sex, DOB, Race, Language, MaritalStatus, HomePhone, Email, EmploymentStatus, SoundEx, HeadOfHouseholdID, RelationToHeadOfHouse, and more.
Redacted image of “Policy” data including Server_id, PlanID, PolicyNumber, Class, GroupNumber, SubscriberID, AssignBenefits, Description, StartDate, EndDate, TimeStamp, Last User, CreateStamp, Create User, AuthorizePayment.
Beyond the obvious sensitivity of any exposure of an individual’s medical background, the leak of patient – and doctor – Social Security numbers, in association with personal details like home address, insurance information, and date of birth, provide ample ammunition for fraudsters. Armed with the contact information for patients, and the knowledge of which doctor’s office they go to, malicious actors could also socially engineer exposed individuals, posing as a representative of the physicians to further extract sensitive information.
Word document listing personnel and vendors with keys to the office.
Finally, while the exposure was eventually secured by March 19th, it would be over a month after initial analysis and notification on February 12th, and following many phone calls and emails in the interim, before the data was no longer accessible. The Cyber Risk Team’s repeated efforts to alert the affected clinic as to the importance of this exposure, and the prolonged exposure of this information despite this, speaks to the vital urgency of implementing a durable process for use in acknowledging a breach disclosure and remediating the issue. Empowering personnel with directions on how to respond to news of a data exposure protects both the enterprise and any individuals whose information may be leaking.
