A patient at St. Joseph Health System of Orange County, California, discovered that his medical record was available through search engines. This discovery resulted in the system notifying approximately 30,000 individuals that their protected health information (“PHI”) had been accessible by search engines for almost a year.
St. Joseph stated that the records were stored on its internal computer network with incorrect security settings. Among other data, the patients’ name, diagnoses, medications, allergies, birth date, and race and gender were subject to unauthorized access. St. Joseph contended that the data was not readily available but rather required a complex or extensive search.
St. Joseph is apparently trying to mitigate the breach by securing the files and working to eliminate residual or archived information on the internet. The system also provided the patients free identity theft protection.
This case is another clear example of the need to continually audit your system’s security. Hiring a so-called “ethical hacker” to determine any security vulnerabilities would certainly be much less expensive than this notification and mitigation, even assuming that St. Joseph doesn’t also face a class action lawsuit, such as the one that Anthem Blue Cross faces from a similar breach. For more information, read the article by Howard Anderson, “Glitch Exposes Medical Records Online,” in Health Info Security.