University Leaves Patient Data Vulnerable for Two Years

In another major breach involving healthcare providers’ patient data being exposed on an unsecured site for nearly two years, University of Iowa Health Care reports that in April of this year, they discovered that over 5000 patients’ sensitive information had been posted online, unencrypted, since May 2015, on a site that develops applications.

On April 29, the UI received a tip from someone who inadvertently discovered the unsecure data.  The University deleted the files on May 1, after learning of the mistake.

While it does not appear that any of the data, which includes names, dates of admission and medical record numbers, was misused, this type of breach is becoming more and more common.  While this type of mistake should be easy to avoid, the problem with this and many other issues is that not all employees are properly educated.

This was a case of employee error.  UI was quick to investigate the matter, and a spokesman for the University state that “an employee used this open source programming tool as part of an application development for UI Health Care operations. The files were not made private and were left on the site after the work was completed.”

Fortunately, it does not appear that any of the data was misused, so while the University is not offering any free credit monitoring, the incident has been recorded with the Department of Health and Human Services, and UI is taking steps to bulk up their cyber security by:

  • More in depth training for staff and students.
  • Stricter processes for developing and managing databases.
  • Developing more rigorous protocols and testing before going live.