Cybernews
  • News
  • Editorial
  • Security
  • Privacy
    • What is a VPN?
    • What is malware?
    • How safe are password managers?
    • Are VPNs legal?
    • More resources
    • Strong password generator
    • Personal data leak checker
    • Antivirus software
    • Best VPN services
    • Password managers
    • Secure email providers
    • Best website builders
    • Best web hosting services
  • Follow
    • Twitter
    • Facebook
    • YouTube
    • Linkedin
    • Flipboard
    • Newsletter

© 2021 CyberNews - Latest tech news, product reviews, and analyses.

Our readers help us create quality content. If you purchase via links on our site, we may receive affiliate commissions. Learn more

Home » Security » New York charity leaves sensitive patients’ data unsecured

New York charity leaves sensitive patients’ data unsecured

by Bernard Meyer
31 March 2021
in Security
0
New York charity leaves sensitive patients’ data unsecured
16
SHARES

We recently discovered an unsecured database that appears to belong to one of the largest charities in New York. The unsecured database contained more than 2,000 CSV and TXT files, each with hundreds or thousands of entries related to patients’ medical records, children’s legal guardians, case workers, doctors, and other child welfare specialists.

Some documents even contained social security numbers.

The files were stored on an unsecured Microsoft Azure Blob that was publicly accessible, meaning that anyone with the URL was able to download the data.

Many of the email and physical addresses within the database point to the New York Foundling organization, which provides many services related to child protection, foster care and adoption, disabilities services, and more.

We first reached out to the New York Foundling organization on March 1, but received no response after multiple attempts. We then contacted Azure to have the database secured, and it was removed from public access on March 17.

The New York Foundling organization has not confirmed that the database is theirs.

To see if any of your online accounts were exposed in this or other security breaches, use our personal data leak checker with a library of 15+ billion breached accounts.

What data was in the database

Inside the Azure blob, we discovered 104 CSV and 2131 TXT files. 

These files contained hundreds or thousands of entries, including:

  • At least 13,000 entries on vaccines, including administration date, vaccine type, dosage, product, and expiration
  • Diagnostic tests, including:
    • Patient IDs
    • Test code, ID and name
    • Dates
  • Patient referral, including:
    • Patient number
    • Referring doctor and address
    • Referral reasons
    • Data of what appears to be the receiving doctor
  • Contact information for the patients or their legal guardians
  • Employee information (without column headers) that appear to include:
    • Staff names
    • Employee or other IDs
    • Branches or cooperating offices (such as Child Welfare Services)
  • Chart notes with descriptions and patient IDs
  • 7,000 entries for patients, including:
    • Patient names and birthdates
    • Parent/guardian names and phone numbers
    • The relationship (such as foster or biological parent, or case worker)
    • Addresses
    • Referral notes
    • Insurer IDs
  • BP and height records for patients aged 1-17
  • A headerless TXT file containing SSNs and what appears to be IDs, but without names or other identifying information

The last modified date for these files is July 16, 2020. 

The data in these files was separated so that patient names, birthdates and other personal information is separated from the medical records. However, they are connected by their patient IDs. 

For example, patient IDs were listed in the chart notes CSV document. This file included a diagnosis or summary of the issue, as well as abiding notes. Some of the notes contained relevant information about the child’s family situation, and some notes included the child’s name. 

The same patient IDs were included in the patients CSV document, along with the patients’ names. All instances in which the children were named in the chart notes matched with their contact information in the patient file.

Additionally, since the chart notes file contained multiple entries for the same patient, it was likely possible to piece together the patient’s medical history as contained within this document. 

This information, in totality, was particularly sensitive. Many of the email and physical addresses were connected to the New York Foundling organization.

Who owns the database?

The database appears to belong to the New York Foundling group, a 501(c)3 charity organization and one of New York City’s oldest and largest child welfare agencies. According to its website, the organization has been in operation since 1869 with programs in the five boroughs, Rockland County and Puerto Rico.

The organization currently runs several different programs across its locations:

  • Foster care and adoption, with the NYC Administration for Children’s Services referring children to the NY Foundling for placement and other support services
  • Child protection
  • A charter school aimed at kids in the child welfare system
  • Juvenile justice programs
  • Deaf services
  • Developmental disabilities programs
  • A head start program in Puerto, which aims to help children and families in impoverished areas improve their social and educational situations

We reached out to NY Foundling, not only to confirm if the database belongs to them and to help secure it, but also to provide further cybersecurity assistance if needed. However, they did not respond to our requests.

Impact

The impact here is pretty clear: medical information is protected by HIPAA and other privacy laws in the US, especially so for children. Beyond that protected group, sensitive data about foster parents, child protection workers, medical staff and organization staff was also left unsecured.

HIPAA laws consider medical data as protected health information, and there are very strict rules in how this data is created, collected, transmitted, or maintained. This medical data is only considered personal health information if the patients can be identified. If all personal identifiers are stripped from this medical data, it no longer qualifies as personal health information.

In this database, the medical data was in fact separated from the personal identifiers in any given document. However, it seemed straightforward enough to reintegrate the personal data and the medical data.

Beyond whether it was a HIPAA violation or not, it still was sensitive data that could negatively impact these patients. Even if it were a HIPAA violation, it doesn’t allow for the private right to action. This means that individuals can’t sue the organization, and it is up to attorney generals to bring suit.

Besides HIPAA, there are also a myriad of state privacy and confidentiality laws that such an unsecured database may be in violation of.

In any case, cybercriminals may use the data for their own malicious purposes. While many bad actors claim to stay away from attacking hospitals or charities – and some “Robin Hood” criminals even stealing money and donating it to charity – the reality is not so rosy. For example, a November 2020 report showed that at least one-third of all charities in the UK had suffered a cyberattack during the pandemic, while another report from the Charity Commission confirmed that more than 100 UK charities had fallen victim to a ransomware attack.

With the data contained within this database, a bad actor may be able to:

  • Target the children or their foster parents or care workers with spear phishing campaigns using only the data in the Patients or Contacts documents
  • Target staff of the charity with phishing campaigns in order to get into the organization’s systems
  • Create fraudulent identities
  • File fraudulent insurance claims
  • Exploit or extort the patients or their legal guardians
  • Collect, collate and sell this medical data on to other bad actors

Here’s what to do next

It is unclear whether any bad actors were able to access the data, or how long the data was left out in the open. 

If your data has been included in the data leak, or you believe your data has, there are a few important steps you need to follow:

  • Check if your data has been leaked in this or other breaches by using a service like CyberNews’ personal data leak checker, which currently has more than 15 billion records
  • Watch out for suspicious emails, as they may be phishing attempts. Avoid clicking on links from suspicious emails
  • Watch out for suspicious activity on your financial accounts, and set up identity theft monitoring
Share16TweetShareShare
Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Editor's choice

500M LinkedIn user records sold on hacker forum
News

Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof

by CyberNews Team
6 April 2021
5

We updated our leak checker database with more than 780,000 email addresses associated with this leak...

Read more
LinkedIn, FB, Twitter, Clubhouse apps seen on an iPhone

Recent Facebook, LinkedIn and Clubhouse leaks explained

15 April 2021
Cheapest tool to kill satellites? A computer

Cheapest tool to kill satellites? A computer

13 April 2021
A gift to criminals and tyrants? Soon, wireless devices could become object sensors

A gift to criminals and tyrants? Soon, wireless devices could become object sensors

13 April 2021
“Not ideal” from a privacy standpoint: Clubhouse API lets “anyone” scrape public user data

“Not ideal” from a privacy standpoint: Clubhouse API lets “anyone” scrape public user data

12 April 2021
  • Categories
    • News
    • Editorial
    • Security
    • Privacy
  • Reviews
    • Antivirus Software
    • Password Managers
    • Best VPN Services
    • Secure Email Providers
    • Website Builders
    • Best Web Hosting Services
  • Tools
    • Password Generator
    • Personal Data Leak Checker
  • Engage
    • About Us
    • Send Us a Tip
    • Careers
  • Twitter
  • Facebook
  • YouTube
  • Linkedin
  • Flipboard
  • Newsletter
  • About Us
  • Contact
  • Send Us a Tip
  • Privacy Policy
  • Terms & Conditions
  • Vulnerability Disclosure

© 2021 CyberNews - Latest tech news, product reviews, and analyses.

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.
Subscribe For Security Tips And CyberNews Updates
Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!
Our Privacy Policy and Terms & Conditions

Home

News

Editorial

Security

Privacy

Resources

  • About Us
  • Contact
  • Careers
  • Send Us a Tip

© 2020 CyberNews – Latest tech news, product reviews, and analyses.