Security flaw may be responsible for Laurel clinic data breach
LAUREL, MS (WDAM) - A cyber security researcher said a flaw in an online security system may be responsible for a data breach of patient information at Jefferson Medical Associates in Laurel.
"I find things that are publicly available on the internet that should probably not be public available," said Chris Vickery, a cyber security researcher who lives in Austin, Texas. "Things like databases that have no password and are configured for public access. "
Vickery said he found a security flaw in a database of Jefferson Medical patient information.
"I was just going through randomly looking at the publicly available, configured for public access databases on those ports, and this one showed up," he said. "When I realized there social security numbers and names and phone numbers and prescription information, it dawned on me that 'hey this probably should not be public if it is real data.' So then I started the process of trying to figure out whose it was."
Jefferson Medical said Vickery was an unauthorized individual who shouldn't have had access to that information.
"This information is private information," said Katie Gilchrist, Jefferson Medical's legal counsel. "It's federally protected information. It's information that was on our server. This individual accessed it without our permission. He did in secret. There has never been a time when patient information in Jefferson Medical's possession has been just out there for anyone to get to."
Vickery agrees he shouldn't have had access and said that's why he alerted the clinic to the hole in its security.
"It was as available as a website is," Vickery said.
Gilchrist said, "Basically it's like leaving a window unlocked in your house. You leave the house, and you leave a window unlocked. These folks out there think that entitles them to come into the house and look around at all your stuff and then take things with them when they leave. That's just not appropriate."
Vickery said this isn't a hack because the information was readily available to anyone who knew where to look.
"There was nothing to hack," Vickery said. "There simply was no password, no user name, no security features of any sort being used. If you want to use a real analogy, here's a better one. I drove along a country road, a public country road, that not many people drive along, and on the side of the road, there were some records. Jefferson Medical left those records there. I took pictures of them and hunted down Jefferson and told them their records were on the side of the road. There's no crime involved there. That's not hacking. That's simply them being negligent."
Gilchrist said and internal investigation is ongoing, and Jefferson Medical has already increase security in response to the breach.
"We have an outside security company that was engaged prior to this," she said. "They have come back in since this. They have done a complete overhaul of our systems and have found that other than this one place that this individual found to get in, everything else is secure. (They found that) he was only able to get into a very limited piece of that information, and nobody can get into that piece of information now. They have fixed that and closed it up."
Gilchrist said about 10 percent of patients' information could have been compromised, which she said was about 10,000 people. However, Vickery said he saw as many as 62,000 records in the database.
"If they're saying there are only 10,000 entries, they're trying to claim there were a lot of duplicates."
Gilchrist said HIPPA requires data breaches to be reported to the Office of Civil Rights with U.S. Department of Health and Human Services, which she said Jefferson medical has done. She said there is also an ongoing law enforcement investigation, but couldn't say what agencies are involved or if she thought Vickery could face criminal charges.
Vickery said he finds these kinds of security flaws for numerous companies. He said didn't steal, sell or use that patient information at all and never intended to do so.
"We need more people who are on the good side of finding this kind of exposed data," Vickery said.
Gilchrist said patients with questions or concerns that their information may have been involved can call (855) 260-2771.