Are Your Digital Health Records Safe & Secure? For 300K Californians, They Were Not
Southern California Medical-Legal Consultants, a firm that represents doctors and hospitals seeking payment from patients receiving workers' compensation, uploaded the medical files of nearly 300,000 Californians to an unsecured website. Owner Joel Hecht said the company "believed only employees could use" the website; however, the entire world had easy access, reports Press-Telegram.
Lucky for the hundreds of thousands of patients, Aaron Titus, an Identity Finder researcher, discovered the very personal data through simple Internet searches.
The data were "available to anyone in the world with half a brain and access to Google," Titus said.
Titus added that the company blundered twice when setting up their "secure" website. Two overlooked basic techniques would have ensured privacy - "requiring a password and instructing search engines not to index the pages."
There were insurance forms, Social Security numbers and doctors' notes. Among the files were summaries that spelled out, in painstaking detail, a trucker's crushed fingers, a maintenance worker's broken ribs and one man's bout with sexual dysfunction.
Paul Thompson, an affected patient who learned of the breach via Titus, is appalled by the confidentiality-deficient system.
"I'm totally disgusted about everything," he said, calling the breach "another kick in the stomach."
The digital information has since been password-protected by the firm, and Hecht has declined to comment on how many patients received notification of the privacy breach, as required by state law.
Federal law's decree to digitize all health records by 2014 paints a terrifying privacy portrait for some. Thompson admitted, "[The prospect] scares the living hell out of me."
