Security flaw may be responsible for Laurel clinic data breach - WDAM-TV 7-News, Weather, Sports-Hattiesburg, MS

Security flaw may be responsible for Laurel clinic data breach

Jefferson Medical Associates say a small percentage of their patients' personal information was compromised. Source: Raycom News Network Jefferson Medical Associates say a small percentage of their patients' personal information was compromised. Source: Raycom News Network
LAUREL, MS (WDAM) -

A cyber security researcher said a flaw in an online security system may be responsible for a data breach of patient information at Jefferson Medical Associates in Laurel.

"I find things that are publicly available on the internet that should probably not be public available," said Chris Vickery, a cyber security researcher who lives in Austin, Texas. "Things like databases that have no password and are configured for public access. "

Vickery said he found a security flaw in a database of Jefferson Medical patient information.

"I was just going through randomly looking at the publicly available, configured for public access databases on those ports, and this one showed up," he said. "When I realized there social security numbers and names and phone numbers and prescription information, it dawned on me that 'hey this probably should not be public if it is real data.' So then I started the process of trying to figure out whose it was." 

Jefferson Medical said Vickery was an unauthorized individual who shouldn't have had access to that information.

"This information is private information," said Katie Gilchrist, Jefferson Medical's legal counsel. "It's federally protected information. It's information that was on our server. This individual accessed it without our permission. He did in secret. There has never been a time when patient information in Jefferson Medical's possession has been just out there for anyone to get to."

Vickery agrees he shouldn't have had access and said that's why he alerted the clinic to the hole in its security.

"It was as available as a website is," Vickery said.

Gilchrist said, "Basically it's like leaving a window unlocked in your house. You leave the house, and you leave a window unlocked. These folks out there think that entitles them to come into the house and look around at all your stuff and then take things with them when they leave. That's just not appropriate."

Vickery said this isn't a hack because the information was readily available to anyone who knew where to look.

"There was nothing to hack," Vickery said. "There simply was no password, no user name, no security features of any sort being used. If you want to use a real analogy, here's a better one. I drove along a country road, a public country road, that not many people drive along, and on the side of the road, there were some records. Jefferson Medical left those records there. I took pictures of them and hunted down Jefferson and told them their records were on the side of the road. There's no crime involved there. That's not hacking. That's simply them being negligent."

Gilchrist said and internal investigation is ongoing, and Jefferson Medical has already increase security in response to the breach.

"We have an outside security company that was engaged prior to this," she said. "They have come back in since this. They have done a complete overhaul of our systems and have found that other than this one place that this individual found to get in, everything else is secure. (They found that) he was only able to get into a very limited piece of that information, and nobody can get into that piece of information now. They have fixed that and closed it up."

Gilchrist said about 10 percent of patients' information could have been compromised, which she said was about 10,000 people. However, Vickery said he saw as many as 62,000 records in the database.

"If they're saying there are only 10,000 entries, they're trying to claim there were a lot of duplicates."

Gilchrist said HIPPA requires data breaches to be reported to the Office of Civil Rights with U.S. Department of Health and Human Services, which she said Jefferson medical has done. She said there is also an ongoing law enforcement investigation, but couldn't say what agencies are involved or if she thought Vickery could face criminal charges. 

Vickery said he finds these kinds of security flaws for numerous companies. He said didn't steal, sell or use that patient information at all and never intended to do so.

"We need more people who are on the good side of finding this kind of exposed data," Vickery said.

Gilchrist said patients with questions or concerns that their information may have been involved can call (855) 260-2771.

Copyright WDAM 2016. All rights reserved.

  • WDAM.com FeaturesMore>>

  • breaking

    Laurel clinic warns patients of data breach

    Laurel clinic warns patients of data breach

    Friday, July 29 2016 3:28 PM EDT2016-07-29 19:28:42 GMT
    Jefferson Medical Associates say a small percentage of their patients were compromised. Source: RNNJefferson Medical Associates say a small percentage of their patients were compromised. Source: RNN

    A Laurel clinic has issued a warning to a small group of their patients after a recent data breach of their systems.  

    More >>

    A Laurel clinic has issued a warning to a small group of their patients after a recent data breach of their systems.  

    More >>
  • Local NewsLOCALMore>>

  • Last minute grocery shoppers filled the aisles Wednesday

    Last minute grocery shoppers filled the aisles Wednesday

    Last minute grocery shoppers filled the aisles Wednesday

    Wednesday, November 22 2017 11:07 PM EST2017-11-23 04:07:25 GMT

    Last minute grocery shoppers filled the aisles Wednesday.   Jessica Bowman stopped into a Hattiesburg store to see what all the activity was about. Roshunda Trody said, "Two turkeys, ham, dressing, greens cabbage, french beans with white potatoes and turkey butts in it." Hefty dinner menus for Thanksgiving day. Trody said, "I'm from Hattiesburg, MS, but I'm back in town to be with my family for the holidays and doing a little bit of last minute shopping." ...

    More >>

    Last minute grocery shoppers filled the aisles Wednesday.   Jessica Bowman stopped into a Hattiesburg store to see what all the activity was about. Roshunda Trody said, "Two turkeys, ham, dressing, greens cabbage, french beans with white potatoes and turkey butts in it." Hefty dinner menus for Thanksgiving day. Trody said, "I'm from Hattiesburg, MS, but I'm back in town to be with my family for the holidays and doing a little bit of last minute shopping." ...

    More >>
  • Tickets on sale for the 5A South State Championship

    Tickets on sale for the 5A South State Championship

  • Tickets on sale for the 5A South State Championship

    Tickets on sale for the 5A South State Championship

    Wednesday, November 22 2017 9:42 PM EST2017-11-23 02:42:31 GMT
    Fans in line to buy tickets to the 5A South State Championship Wednesday in Hattiesburg. Source: WDAM.Fans in line to buy tickets to the 5A South State Championship Wednesday in Hattiesburg. Source: WDAM.

    Fans were waiting in the parking lot Wednesday outside Hattiesburg High School for tickets to go on sale for the 5A South State Championship Friday night. The Tigers are hosting the Laurel Tornadoes in a I-59 showdown.  The game, a repeat of the "Lil' Brown Jug" game will give the Tornadoes the chance at revenge, after Hattiesburg won the rivalry game 20-14 in August. Tyrone King was sitting in the parking lot at 11:30 a.m., waiting for the ticket office to open it's ...

    More >>

    Fans were waiting in the parking lot Wednesday outside Hattiesburg High School for tickets to go on sale for the 5A South State Championship Friday night. The Tigers are hosting the Laurel Tornadoes in a I-59 showdown.  The game, a repeat of the "Lil' Brown Jug" game will give the Tornadoes the chance at revenge, after Hattiesburg won the rivalry game 20-14 in August. Tyrone King was sitting in the parking lot at 11:30 a.m., waiting for the ticket office to open it's ...

    More >>
Powered by Frankly