A recent security breach demonstrates how having third party vendors help with business functions can add additional risk to an organization and to customers, patients, members, or clients of that company. Last month, patient records from Bronx Lebanon Hospital Center (BLHC) in New York were accidentally exposed for all the world to see. While it was not due to a malicious act, it’s still a significant breach. A third party showed very private information to anyone who went to the effort to look; all due to a misconfigured system.
The vendor, iHealth Solutions (iHealth) out of Louisville, KY provides solutions to assist small to large organizations with management of their practices. In this case, BLHC allowed them access to patient information. Unfortunately, a misconfigured Rsync backup server hosted by iHealth left the server and all of the information on it vulnerable.
The information that was exposed included not only names, and addresses, but also diagnoses, mental health information, HIV status, sexual assault and domestic violence reports, addiction histories, and even religious affiliations of over 7,000 patients. Anyone visiting BLHC between 2014 and 2017 may have been included in this batch of information.
While iHealth does not believe any of it was misused, it’s nearly impossible to know considering the duration of exposure. In the meantime, anyone who visited BLHC during that time should monitor the benefits explanation statements that are sent to the patient after each visit to a medical care provider. If anything looks odd or suspicious, contact the healthcare provider and/or insurance company to get it resolved right away.
Healthcare fraud is dangerous. This is because the medical records tied to you follow you now. If it’s not already available to you, it will soon be that a provider in Nevada can get access to care records from New York and make decisions based on that information. Not only can it result in significant financial loss to anyone who is a victim, as records continue to move from paper to electronic, the risks of receiving incorrect healthcare diagnoses and care increases if fraud is in play.
This issue involved an Rsync leak. Rsync servers transfer and synchronize files across computer systems; as in between BLHC and iHealth so they both have the same data. Leaks like this one are unfortunately rather common. In this case, it was found when MacKeeper security researchers were using a tool called Shodan to do a routine sweep of the Internet for issues like this. When they find issues, they report them to the companies for resolution in the hopes it is before someone malicious gets to them.
Shodan is a search engine for network devices and is available to anyone. According to its website, “Shodan has servers located around the world that crawl the Internet 24/7 to provide the latest Internet intelligence.” The company claims that users can see who buys smart TVs, what companies are still vulnerable to Heartbleed, and lots of other information.
iHealth stated that it took immediate steps to protect the data once the issue was uncovered.