Clients discover security breach on insurance carrier’s patient portal

[Erica Absetz <erica () riskbasedsecurity com>]

http://fox59.com/2013/07/01/clients-discover-security-breach-on-insurance-carriers-patient-portal/

A security breach with a local health insurance company has been
exposing members’ home addresses, cell phone numbers, prescriptions
and extensive medical information in an online portal.

The company had no clue about the issue, until Fox 59 notified them.
So how many people might have been impacted?

Fox 59 is taking action, to find out and make sure it never happens again.

“I was just in shock when I saw it for the first time,” said a man who
we’ll refer to as “Steve”.

We agreed to keep the identities of the customers who we interviewed private.

He said he couldn’t believe how easy it was to log onto his Advantage
Health Solutions account and see other users’ private information.

Steve showed us how it works.

“I clicked on the little people icon and got a screen that allowed me
to put in a name or a date of birth and it brought up anyone with that
name or date of birth and I could click on it and look at their
records. I was astounded,” Steve said.

A woman who also didn’t want to be identified said her family also
uses Advantage Health Solutions. She is concerned about who might now
know about her families prescriptions.

“I don’t want people to know that we have narcotic medicine in the
house. That was really scary to me,” said a woman we’ll refer to as
“Joan”.

She said it’s a major safety issue.

“The fact that someone can go online and pick and choose the people
who have narcotics and possibly rob their house because they want
drugs, that was my first thought,” Joan said.

The amount of personal information available on the site is quite
broad and extensive.

“We know this person has cancer, that Advantage has paid almost
$300,000 in medical bills, we know the medication she is on, the last
time she was in the hospital, her primary care physician, where she
lives, her phone number,” Joan said.

Fox59 wanted to know why all of this private health information was
not being protected.

So we went to Advantage Health Solutions’ Indianapolis office to find
out.  Advantage Health Solutions immediately fixed the problem.

“When you arrived they took immediate action. They have their own IT
staff as well as a compliance officer and a general counsel and
together they took action to immediately block the site,” said the
company’s attorney, Joan Antokol.

Antokol is a partner at Park Legal LLC and specializes in data
privacy, security and records management.

The information was only available to the less than 400 people who had
applied for a username and password and that doesn’t necessarily mean
any of them saw other patients’ information, Antokol said.

The company had been working with two vendors on the site and it
appears this happened due to human error, Antokol said.

“Unfortunately, even though the system was tested multiple times in a
test environment before it was launched, a series of icons were
visible to registered to users on the site,” Antokol said.

More than than 70 percent of those registered clients only logged on
once or twice, Antokol said.

“Our review is not yet completed at this point in time but the review
we’ve done so far suggests this is an isolated incident,” Antokol
said.

These clients spoke out because they want to make sure this never happens again.

“All the people that are in the plan need to know that their
information is probably or possibly compromised,” Joan said.

“If enough people know this was happening   perhaps there would be an
outcry and then they’d do something about it and perhaps change it,”
Steve said.

And they did change it. Antokol said the site will be down until
they’re 100 percent sure everyone’s information is kept private, for
good.

Antokol also said more than 57 percent of physicians across the U.S.
use patient portals and they expect even more to add them in the
coming year, due to Medicare and Medicaid incentives.

She said this is an important reminder also, for users of the sites to
protect on their end too by having up-to-date antivirus software,
logging off of their accounts and making sure their info is accurate
on the site.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.