Medical records are among the most sensitive data about a person that exists. As a result, legally speaking they’re supposed to be carefully secured so only you, your doctor, and those you consent to see them can take a look. A major hospital in New York, however, has apparently been leaving them out in public for anybody who can find them to view.
First discovered by German computer security company Kromtech, the leak consists of at least tens of thousands, and possibly millions, of records from Bronx-Lebanon Hospital Center in New York, one of the busiest hospitals in America. While the hospital claims it was the victim of a hacking attempt, Kromtech found the documents searching for devices running a popular backup protocol called Rsync. Rsync is a notoriously leaky piece of software when its default port is left unprotected, and searching for this error is a common computer security tactic.
It appears that’s exactly what an IT contractor based in Kentucky, iHealth Solutions, did. None of the files were encrypted, and the site carrying the documents wasn’t protected by a firewall. Anyone with a basic knowledge of common computer security problems could have found these documents, which include addiction treatment, surgery records, and psychological health records. And, of course, there’s data like Social Security numbers. It’s not clear yet what will unfold, but this is an enormous violation of HIPAA and the fallout likely hasn’t been felt just yet.