ADVERTISEMENT

New York charity leaves sensitive patients’ data unsecured

New York charity leaves sensitive patients’ data unsecured
Bernard Meyer
Bernard Meyer Senior Researcher
Mar 31, 2021 Updated: 28 September 2021 4 min read

What data was in the database

  • At least 13,000 entries on vaccines, including administration date, vaccine type, dosage, product, and expiration
  • Diagnostic tests, including:
    • Patient IDs
    • Test code, ID and name
    • Dates
  • Patient referral, including:
    • Patient number
    • Referring doctor and address
    • Referral reasons
    • Data of what appears to be the receiving doctor
  • Contact information for the patients or their legal guardians
  • Employee information (without column headers) that appear to include:
    • Staff names
    • Employee or other IDs
    • Branches or cooperating offices (such as Child Welfare Services)
  • Chart notes with descriptions and patient IDs
  • 7,000 entries for patients, including:
    • Patient names and birthdates
    • Parent/guardian names and phone numbers
    • The relationship (such as foster or biological parent, or case worker)
    • Addresses
    • Referral notes
    • Insurer IDs
  • BP and height records for patients aged 1-17
  • A headerless TXT file containing SSNs and what appears to be IDs, but without names or other identifying information
ADVERTISEMENT

Who owns the database?

  • Foster care and adoption, with the NYC Administration for Children’s Services referring children to the NY Foundling for placement and other support services
  • Child protection
  • A charter school aimed at kids in the child welfare system
  • Juvenile justice programs
  • Deaf services
  • Developmental disabilities programs
  • A head start program in Puerto, which aims to help children and families in impoverished areas improve their social and educational situations

Impact

  • Target the children or their foster parents or care workers with spear phishing campaigns using only the data in the Patients or Contacts documents
  • Target staff of the charity with phishing campaigns in order to get into the organization’s systems
  • Create fraudulent identities
  • File fraudulent insurance claims
  • Exploit or extort the patients or their legal guardians
  • Collect, collate and sell this medical data on to other bad actors

Here’s what to do next

  • Check if your data has been leaked in this or other breaches by using a service like CyberNews’ personal data leak checker, which currently has more than 15 billion records
  • Watch out for suspicious emails, as they may be phishing attempts. Avoid clicking on links from suspicious emails
  • Watch out for suspicious activity on your financial accounts, and set up identity theft monitoring
ADVERTISEMENT