The protected health information (PHI) of tens of thousands of Middletown Medical patients was exposed due to a misconfiguration in the security setting of a radiology interface. Middletown Medical, a multi-specialty physician’s group that is located in Middleton, New York, found out about the misconfigured security setting on January 29, 2018.
Middletown Medical immediately secured the interface the following day so that unauthorized persons cannot access patient information. It is not known how long the system was left unsecure allowing patient data to be accessible. But Middletown Medical stated that the number of patients’ PHI potentially accessed by unauthorized persons is limited.
There was no highly sensitive information like Social Security numbers, insurance data or financial information exposed. Breached information was limited to the patients’ names, birth dates, client identification numbers, confirmation of receipt of radiology services by patients, and date of the service provided. Some of the patients also had exposed their diagnosis codes, radiology reports and radiology images.
When Middletown Medical discovered the error, it prompted the review of the HIPAA-covered entity’s policies and procedures. Additional safeguards were implemented to guarantee the confidentiality of documents with PHI. The personnel were provided additional training to secure information systems. Interfaces were also modified to make sure all information is kept secure.
Though Middletown Medical did not receive any report of misuse, as a precaution, all patients whose information was compromised were offered free identity theft protection services for 12 months. They were also requested to check and monitor their account statements and Explanation of Benefits statements to guard against fraudulent activities.
Middletown Medical submitted the data breach report to the Department of Health and Human Services’ Office for Civil Rights. There were 63,551 patients whose PHI was exposed. So far, it is one of the largest healthcare data breaches that happened this year.