Slashdot Mirror
A Huge Trove of Patient Data Leaks, Thanks To Telemarketers' Bad Security (zdnet.com)
"A trove of records containing personal and health information on close to a million people was exposed after a former developer working at a telemarketing company uploaded a backup of its database to the internet," writes ZDNet. An anonymous reader quotes their report:
The data contained personal and health-related information, such as names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, health insurance information, and other data relating to the types of health problems the individuals have regarding the products they need, though many of the records were truncated or incomplete. An examination showed that the database was used to market products to thousands of customers by telemarketers at HealthNow -- no longer a registered business as of 2015. Several records we've seen included customized notes written by staff who were tasked with calling customers, such as when they are home and any other relevant information on the subject.
The database apparently lingered online for years in an AWS instance until it was discovered two weeks ago in search results from Shodan by a Twitter user calling himself Flash Gordon. Databreaches.net, which investigated the breach with ZDNet, believes this as a teachable moment. "Before you give your personal or health insurance information to telemarketers or firms that call to offer you supplies for diabetes or back pain or other conditions, think twice."
The database apparently lingered online for years in an AWS instance until it was discovered two weeks ago in search results from Shodan by a Twitter user calling himself Flash Gordon. Databreaches.net, which investigated the breach with ZDNet, believes this as a teachable moment. "Before you give your personal or health insurance information to telemarketers or firms that call to offer you supplies for diabetes or back pain or other conditions, think twice."
HIPAA, not HEPA.
Health Insurance Portability and Accountability Act, 1996
But if you want to take a High Efficiency Particulate Arresting filter to those loose bits from the server, be my guest.
Pain is merely failure leaving the body
HealthNow is owned by Dino Romano, a former Unistar executive and securities fraud recidivist. It ceased as a business in 2015...
When contacted, Daynier Brown, a software developer contracted to work on building a customer database for Romano, confirmed he obtained a copy of the database during the time he worked for Romano. In a phone call this week, Brown said he found the backup drive on a failing hard drive on a development server he owned from his previous HealthNow project. He spun the data out on an Amazon Web Service instance he owned, which pointed to MediboxSolutions.com, a website owned by Brown, intended to eventually provide customer database solutions for medical services.
In other words, a scammer stole the data from another scammer and didn't bother to secure it. Yes, that's a huge HIPAA violation.