Server mis-configuration is turning to a key vulnerability leading to PHI breaches.  In a major health data leak, the University of Washington Medicine disclosed that data related to 974,000 patients was left exposed on the internet for three weeks because of a misconfigured server. This is the latest instance of patient data privacy at risk due to improper use of healthcare systems.

The breach came to light when one of the patients found a file with their own data while searching for their name on Google. The matter was brought to the attention of UW Medicine after which an internal investigation was carried out. It was later found that protected health information reporting files were visible by search on the internet from Dec. 4, 2018.

The misconfiguration occurred because of a coding error when data was being moved onto a new server. The files, according to UW Medicine, ‘contained patients’ names, medical record numbers, and a description and purpose of the information. The files did not contain any medical records, patient financial information or Social Security numbers.’ However, for some patients, the files did include the names of lab tests but not the results.

The breach was discovered on 26th Dec and UW Medicine took steps to remove the information from their site and any other third-party sites which might have saved the information related to patient data.

“Because Google had saved some of the files before December 26, 2018, UW Medicine worked with Google to remove the saved versions and prevent them from showing up in search results,” officials said in a statement. “All saved files were completely removed from Google’s servers by Jan. 10, 2019.”

It must be noted that this is the second instance of data breach at UW Medicine. Back in 2013, social security numbers and medical data of 90,000 patients became vulnerable when an employee opened an attachment containing malware. At that time, the provider paid almost $750,000 over the breach with an assessment to address patient data risks and vulnerabilities.

This time around UW Medicine officials have said that they will be reviewing their protocols and procedures to prevent such similar breaches in the future. For now, the breach has been reported with the Office for Civil Rights.

Server mis-configuration such as the one at UW is likely to overtake ‘phishing’ as a top source of breached data according to the Chief Security Officer at Box and current partner at Andreessen Horowitz Joel de la Garza.

A prime example of other instances such as UW medicine is the server security mishap at Rubrik, an enterprise software company focused on cloud data management. There, a misconfigured AWS Elasticsearch server led to private data exposure of major customers of Rubrik.

In a high-risk environment, organisations need to be wary of data leaks such as these. And while it’s safe to assume that this trend is poised to continue, the need of the hour is to educate the IT teams and staff about cybersecurity, data privacy, and data integrity.

Source: UW Medicine/Newsroom