Touchstone Medical Imaging recently acknowledged that 307,528 patients’ personal data may have been exposed when a folder containing billing information for radiology procedures conducted prior to August 2012 was inadvertently left accessible via the Internet (h/t PHIprivacy.net).
The company, which is headquartered in Tennessee and has locations in Arkansas, Colorado, Illinois, Nebraska and Texas, provides diagnostic imaging services including MRIs, CT scans, x-rays, ultrasound and mammograms.
While an initial investigation led Touchstone to believe that the information in the exposed folder wasn’t readable, the company says it “obtained new information” on September 5, 2014, which indicated that the data may in fact have been readable.
The information potentially exposed includes the 307,528 patients’ names, birthdates, addresses, phone numbers, health insurer names, radiology procedures and diagnoses, as well as some patients’ Social Security numbers.
“We deeply regret any inconvenience this may cause our patients,” Touchstone said in a statement. “To help prevent this from happening again, we are reinforcing the education of our employees and the monitoring of our systems regarding the protection of our patients’ information and continually reviewing and enhancing our policies and procedures.”
In a similar incident disclosed last month, the U.K.’s Oxford Health NHS Foundation Trust acknowledged that 4,200 registered users’ personal information was mistakenly made accessible online “during the process of creating a new website”.
“[T]he website was developed by a third party, who acted as a data processor,” the U.K. Information Commissioner’s Office (ICO) explained in a statement [PDF]. “The file containing the personal data was created in order to transfer customer accounts from the old website to the new website, however the data processor unintentionally placed the file in an area of the new website which was publicly accessible.”
“Further investigation highlighted that whilst a degree of human error occurred on the part of the processor there were other means by which the data could have been securely provided from the old developer to the new,” the ICO added.
The data potentially exposed included 4,200 user names, passwords, email addresses and billing addresses.
And Wisconsin’s Marquette University recently acknowledged that an undisclosed number of graduate school applicants’ personal information was inadvertently exposed when the settings on an internal file server were modified to allow access to anyone with Marquette login credentials (h/t SC Magazine).
The information potentially exposed includes the affected applicants’ names, addresses, phone numbers, email addresses, genders, birthdates, Social Security numbers, places of birth, visa statuses and future visa types for non-citizens, test scores, and any applicable transcript, payment, financial aid, employment, dismissal and felony conviction information.
“To the best of our knowledge, this information was accessed by a single individual — one Marquette employee — who promptly reported it to the university and we took immediate action to remove access to the documents,” Marquette spokesman Brian Dorrington told the Milwaukee Journal Sentinel.
Although breaches like these continue to happen on a regular basis, many of them could easily be prevented with more effective training of employees.
A recent eSecurity Planet article offered several tips on how to offer security awareness training that works, from providing specific examples of security mistakes to targeting the training to meet each employee’s needs.