A researcher from a data loss protection company recently discovered that personal medical data for nearly 300,000 Californians were available online in an unsecured format and could be found through Internet searches, the AP/Forbes reports.
Aaron Titus -- a researcher from Identity Finder -- discovered the information and alerted Southern California Medical-Legal Consultants, the company that was using the data.
How It Happened
Joel Hecht -- owner of Southern California Medical-Legal Consultants, which represents health care providers seeking payment from patients receiving workers' compensation -- said the company put the records on a website that it thought only employees could use.
Titus said the firm failed to require a password for the website and direct search engines not to index the pages.
The data that were available online included:
- Insurance forms;
- Physician notes about patients' health conditions; and
- Social Security numbers.
Southern California Medical-Legal Consultants' Response
Hecht said that the firm's internal security policies were not followed and that immediate action was taken to resolve the situation and ensure it does not happen again. The firm also has password-protected the data.
The company declined to provide further comment, saying the incident still is under investigation.
Implications
The incident raises privacy and security concerns as the U.S. moves to adopt electronic health records, according to the AP/Forbes.
Beth Givens -- director of Privacy Rights Clearinghouse, a not-for-profit group that tracks data breaches -- said, "Even the most well-designed systems are not safe."
According to the AP/Forbes, breaches of medical data are more likely as the health care industry increasingly becomes interconnected and more information is shared.
Federal officials could seek to place greater regulatory authority over the security procedures of companies with access to medical records, the AP/Forbes reports (Robertson, AP/Forbes, 8/21).