Privacy & Security

Vendor error causes major patient record leak at New York hospital

Cause of Bronx-Lebanon Hospital Center breach tied to misconfigured rsync backup that was managed by iHealth Innovations.
By Bill Siwicki
May 09, 2017
12:42 PM

Tens of thousands, and possibly up to millions, of patient records at Bronx-Lebanon Hospital Center in New York City were exposed in a recent data breach, according to the Kromtech Security Research Center, which uncovered the records on May 3. The records were part of a backup managed by iHealth Innovations, the research center said.

The cause of the breach appeared to be a misconfigured rsync backup, the research center said. Rsync is a utility for transferring and synchronizing files across systems, checking the timestamp and size of files, and typically is used for synchronizing files and directories between two different systems.

[Also: Comey to hospitals: Paying ransoms is a big mistake]

Bronx-Lebanon Hospital Center and iHealth Innovations did not immediately respond to requests for comment.
 
“By now, you may be tired of reading reports on misconfigured MongoDB installations or rsync backups,” a DataBreaches.net blogger going by the name Dissent wrote. “It’s almost as if no one is listening to any of the researchers begging entities to secure their data. How many MongoDB servers have to be totally wiped out or ransomed before more people start checking whether they left port 27017 open? How many more nude photos of patients or ultrasound images will be exposed because of misconfigured Rsync backups?”

[Also: Microsoft Office: The ubiquitous software that few trust to protect their data]

Kromtech Security Research Center and the blogger contacted Bronx-Lebanon and iHealth, and the blogger reported that the data then was secured. The hospital told the blogger it had no further comment at this time.

“So no, we didn’t get to the question of whether any business associate agreement was in place and how the hospital evaluated their vendor’s data security or whether the vendor even needed all that personal and confidential medical information to do its job for the hospital,” the blogger wrote. “The records contained a lot of sensitive medical information in addition to personally identifiable information. Some may be shocked by the amount of detail in the records. Do you really want all these hospital records exposed on the Internet because of a vendor’s error? Do you even want a vendor to have all this sensitive information?”

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn

Topics: 
Privacy & Security

More regional news

Nurses huddled together look at electronic health records on a tablet.

Epic and Marquette collaborate on EHR training for nursing students

By
Andrea Fox
October 31, 2023
HHS headquarters in Washington

New information blocking rules from HHS could cost noncompliant providers thousands

By
Mike Miliard
October 31, 2023
Physician using multiple EHRs and IT systems

Clinician EHR struggles compromise patient care, study shows

By
Nathan Eddy
October 31, 2023
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

HHS headquarters in Washington
New information blocking rules from HHS could cost noncompliant providers thousands

Most Read

Guardrails, data governance key to solid generative AI outcomes
AHA security leader sees 'AI-fueled cyber arms race'
Multiple data access deals signed in Korea for digital health research
FBI dismantles Qakbot malware targeting hospitals
Boards are grasping cyber threats, but CISOs still feel underprepared
Is your hospital ready for 3-4 weeks of downtime?

Research

White Papers

More Whitepapers

Artificial Intelligence
Analytics
Precision Medicine

Webinars

More Webinars

Analytics
Analytics
Privacy & Security

Video

Elise Kohl-Grant, cochair of the programming committee at the HIMSS New York State Chapter
New York State Chapter of HIMSS focuses on health equity
Dr. Michael Poku, chief clinical officer at Equality Health
Addressing health equity's cost curve
Dr. Michael Pfeffer at Stanford Health Care_Photo: Doctor using tablet by Sean Anthony Eddy/E+/Getty Images
CIO Spotlight: Dr. Michael Pfeffer of Stanford Health Care
Lynn Carroll, COO of HSBlox
Using tech to get to health equity-social determinants of health link

More Stories

A pharmacist doing an inventory using a digital tablet.
There is no escaping making investments in cybersecurity...
group of healthcare workers talking over hospital bed
Modernizing clinical placement to accelerate clinician training and recruitment
A male doctor sits with another man and they are looking at SDOH data on a mobile device.
Tufts Medical Center to pilot nutrition screening in EHR
Lynn Carroll, COO of HSBlox
Using tech to get to health equity-social determinants of health link
Yale New Haven Health
Yale New Haven radiologists boost CT scan reviews with AI
Dubai Health Authority
The current state of Dubai’s healthcare digital transformation journey
Leah Dewey, VP of clinical and consumer engagement operations at Cotiviti.
Payers have a part to play in addressing health disparities
Christie Teigland, vice president of research science and advanced analytics at Inovalon.
Medicare Advantage plans' star ratings to be affected by Health Equity Index