Security flaw may be responsible for Laurel clinic data breach - WDAM-TV 7-News, Weather, Sports-Hattiesburg, MS

Security flaw may be responsible for Laurel clinic data breach

Jefferson Medical Associates say a small percentage of their patients' personal information was compromised. Source: Raycom News Network Jefferson Medical Associates say a small percentage of their patients' personal information was compromised. Source: Raycom News Network
LAUREL, MS (WDAM) -

A cyber security researcher said a flaw in an online security system may be responsible for a data breach of patient information at Jefferson Medical Associates in Laurel.

"I find things that are publicly available on the internet that should probably not be public available," said Chris Vickery, a cyber security researcher who lives in Austin, Texas. "Things like databases that have no password and are configured for public access. "

Vickery said he found a security flaw in a database of Jefferson Medical patient information.

"I was just going through randomly looking at the publicly available, configured for public access databases on those ports, and this one showed up," he said. "When I realized there social security numbers and names and phone numbers and prescription information, it dawned on me that 'hey this probably should not be public if it is real data.' So then I started the process of trying to figure out whose it was." 

Jefferson Medical said Vickery was an unauthorized individual who shouldn't have had access to that information.

"This information is private information," said Katie Gilchrist, Jefferson Medical's legal counsel. "It's federally protected information. It's information that was on our server. This individual accessed it without our permission. He did in secret. There has never been a time when patient information in Jefferson Medical's possession has been just out there for anyone to get to."

Vickery agrees he shouldn't have had access and said that's why he alerted the clinic to the hole in its security.

"It was as available as a website is," Vickery said.

Gilchrist said, "Basically it's like leaving a window unlocked in your house. You leave the house, and you leave a window unlocked. These folks out there think that entitles them to come into the house and look around at all your stuff and then take things with them when they leave. That's just not appropriate."

Vickery said this isn't a hack because the information was readily available to anyone who knew where to look.

"There was nothing to hack," Vickery said. "There simply was no password, no user name, no security features of any sort being used. If you want to use a real analogy, here's a better one. I drove along a country road, a public country road, that not many people drive along, and on the side of the road, there were some records. Jefferson Medical left those records there. I took pictures of them and hunted down Jefferson and told them their records were on the side of the road. There's no crime involved there. That's not hacking. That's simply them being negligent."

Gilchrist said and internal investigation is ongoing, and Jefferson Medical has already increase security in response to the breach.

"We have an outside security company that was engaged prior to this," she said. "They have come back in since this. They have done a complete overhaul of our systems and have found that other than this one place that this individual found to get in, everything else is secure. (They found that) he was only able to get into a very limited piece of that information, and nobody can get into that piece of information now. They have fixed that and closed it up."

Gilchrist said about 10 percent of patients' information could have been compromised, which she said was about 10,000 people. However, Vickery said he saw as many as 62,000 records in the database.

"If they're saying there are only 10,000 entries, they're trying to claim there were a lot of duplicates."

Gilchrist said HIPPA requires data breaches to be reported to the Office of Civil Rights with U.S. Department of Health and Human Services, which she said Jefferson medical has done. She said there is also an ongoing law enforcement investigation, but couldn't say what agencies are involved or if she thought Vickery could face criminal charges. 

Vickery said he finds these kinds of security flaws for numerous companies. He said didn't steal, sell or use that patient information at all and never intended to do so.

"We need more people who are on the good side of finding this kind of exposed data," Vickery said.

Gilchrist said patients with questions or concerns that their information may have been involved can call (855) 260-2771.

Copyright WDAM 2016. All rights reserved.

  • WDAM.com FeaturesMore>>

  • breaking

    Laurel clinic warns patients of data breach

    Laurel clinic warns patients of data breach

    Tuesday, January 30 2018 3:44 PM EST2018-01-30 20:44:07 GMT
    Jefferson Medical Associates say a small percentage of their patients were compromised. Source: RNNJefferson Medical Associates say a small percentage of their patients were compromised. Source: RNN

    A Laurel clinic has issued a warning to a small group of their patients after a recent data breach of their systems.  

    More >>

    A Laurel clinic has issued a warning to a small group of their patients after a recent data breach of their systems.  

    More >>
  • Local NewsLOCALMore>>

  • Lower costs, fewer benefits in new health insurance option

    Lower costs, fewer benefits in new health insurance option

    Tuesday, June 19 2018 12:10 AM EDT2018-06-19 04:10:52 GMT
    Friday, June 22 2018 1:45 AM EDT2018-06-22 05:45:31 GMT
    As originally proposed, the new "association health plans" would have to cover people with pre-existing health conditions. However, they could offer narrower benefits than required under the Obama-era health law. (Source: Raycom Media)As originally proposed, the new "association health plans" would have to cover people with pre-existing health conditions. However, they could offer narrower benefits than required under the Obama-era health law. (Source: Raycom Media)

    Trump administration prepares to announce a new insurance option for small firms and self-employed people.

    More >>

    Trump administration prepares to announce a new insurance option for small firms and self-employed people.

    More >>
  • Beer may lack fizz in Europe amid carbon dioxide shortage

    Beer may lack fizz in Europe amid carbon dioxide shortage

    Wednesday, June 20 2018 6:51 AM EDT2018-06-20 10:51:23 GMT
    Friday, June 22 2018 1:35 AM EDT2018-06-22 05:35:27 GMT
    (Nigel French/PA via AP). England supporters celebrate Harry Kane's winning goal as fans watch the World Cup soccer match between Tunisia and England at the Lord Raglan Pub in London, Monday, June 18, 2018.(Nigel French/PA via AP). England supporters celebrate Harry Kane's winning goal as fans watch the World Cup soccer match between Tunisia and England at the Lord Raglan Pub in London, Monday, June 18, 2018.
    A British trade group says there's a shortage of carbon dioxide in Northern Europe _ sparking fears that drinks may lack fizz just as thirsty soccer fans fill pubs for the World Cup.More >>
    A British trade group says there's a shortage of carbon dioxide in Northern Europe _ sparking fears that drinks may lack fizz just as thirsty soccer fans fill pubs for the World Cup.More >>
  • Smoking hits new low; about 14 percent of US adults light up

    Smoking hits new low; about 14 percent of US adults light up

    Tuesday, June 19 2018 1:10 AM EDT2018-06-19 05:10:52 GMT
    Friday, June 22 2018 12:57 AM EDT2018-06-22 04:57:41 GMT
    (AP Photo/Rich Pedroncelli, File). FILE - In this June 22, 2012, file photo, a smoker snuffs out a cigarette at the Capitol in Sacramento, Calif. The rate of smoking among adults in the U.S. fell to about 14 percent in 2017, according to new data relea...(AP Photo/Rich Pedroncelli, File). FILE - In this June 22, 2012, file photo, a smoker snuffs out a cigarette at the Capitol in Sacramento, Calif. The rate of smoking among adults in the U.S. fell to about 14 percent in 2017, according to new data relea...
    Smoking by US adults hits another all-time low; about 14 percent smoke cigarettes.More >>
    Smoking by US adults hits another all-time low; about 14 percent smoke cigarettes.More >>
Powered by Frankly