![dataloss logo](/images/dataloss-logo.png)
BreachExchange mailing list archives
Clients discover security breach on insurance carrier’s patient portal
From: Erica Absetz <erica () riskbasedsecurity com>
Date: Tue, 2 Jul 2013 10:55:05 -0500
http://fox59.com/2013/07/01/clients-discover-security-breach-on-insurance-carriers-patient-portal/ A security breach with a local health insurance company has been exposing members’ home addresses, cell phone numbers, prescriptions and extensive medical information in an online portal. The company had no clue about the issue, until Fox 59 notified them. So how many people might have been impacted? Fox 59 is taking action, to find out and make sure it never happens again. “I was just in shock when I saw it for the first time,” said a man who we’ll refer to as “Steve”. We agreed to keep the identities of the customers who we interviewed private. He said he couldn’t believe how easy it was to log onto his Advantage Health Solutions account and see other users’ private information. Steve showed us how it works. “I clicked on the little people icon and got a screen that allowed me to put in a name or a date of birth and it brought up anyone with that name or date of birth and I could click on it and look at their records. I was astounded,” Steve said. A woman who also didn’t want to be identified said her family also uses Advantage Health Solutions. She is concerned about who might now know about her families prescriptions. “I don’t want people to know that we have narcotic medicine in the house. That was really scary to me,” said a woman we’ll refer to as “Joan”. She said it’s a major safety issue. “The fact that someone can go online and pick and choose the people who have narcotics and possibly rob their house because they want drugs, that was my first thought,” Joan said. The amount of personal information available on the site is quite broad and extensive. “We know this person has cancer, that Advantage has paid almost $300,000 in medical bills, we know the medication she is on, the last time she was in the hospital, her primary care physician, where she lives, her phone number,” Joan said. Fox59 wanted to know why all of this private health information was not being protected. So we went to Advantage Health Solutions’ Indianapolis office to find out. Advantage Health Solutions immediately fixed the problem. “When you arrived they took immediate action. They have their own IT staff as well as a compliance officer and a general counsel and together they took action to immediately block the site,” said the company’s attorney, Joan Antokol. Antokol is a partner at Park Legal LLC and specializes in data privacy, security and records management. The information was only available to the less than 400 people who had applied for a username and password and that doesn’t necessarily mean any of them saw other patients’ information, Antokol said. The company had been working with two vendors on the site and it appears this happened due to human error, Antokol said. “Unfortunately, even though the system was tested multiple times in a test environment before it was launched, a series of icons were visible to registered to users on the site,” Antokol said. More than than 70 percent of those registered clients only logged on once or twice, Antokol said. “Our review is not yet completed at this point in time but the review we’ve done so far suggests this is an isolated incident,” Antokol said. These clients spoke out because they want to make sure this never happens again. “All the people that are in the plan need to know that their information is probably or possibly compromised,” Joan said. “If enough people know this was happening perhaps there would be an outcry and then they’d do something about it and perhaps change it,” Steve said. And they did change it. Antokol said the site will be down until they’re 100 percent sure everyone’s information is kept private, for good. Antokol also said more than 57 percent of physicians across the U.S. use patient portals and they expect even more to add them in the coming year, due to Medicare and Medicaid incentives. She said this is an important reminder also, for users of the sites to protect on their end too by having up-to-date antivirus software, logging off of their accounts and making sure their info is accurate on the site. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- Clients discover security breach on insurance carrier’s patient portal Erica Absetz (Jul 02)