When Patient Data Lands On Google

Erin McCann | Government Health IT | September 11, 2014

A Huntsville, Ala., clinical diagnostics laboratory has notified more than 7,000 individuals of a HIPAA breach after the company discovered protected health information contained on a third-party server had been unsecured for nearly three years.  Diatherix Laboratories last month notified 7,016 people across the U.S. that their protected health information had been compromised and viewed by unauthorized, outside parties after its billing contractor Diamond Computing Company had one of its server's data accessible through Google.  The server, officials noted, contained patient billing documents, health insurance forms, patient names and addressees. Many of the documents also included patient Social Security numbers, dates of birth, diagnoses codes and diagnostics tests ordered.

After using an outside security firm to investigate the incident, Diatherix discovered the server was unsecured since Sept. 24, 2011. Diatherix further confirmed that files containing patient protected health information had been viewed from the outside in March 2014. Despite the server being unsecured and accessible on the Internet for nearly three years, Diatherix did not realize the security breach until July 2014.

"Our organization takes information security and patient privacy very seriously," read an August notification letter to patients. "We deeply regret this situation and any inconvenience this may cause our patients."  Diatherix officials said they have reached out to Google and other search engines known to have indexed the files containing PHI and requested the data be removed...