700,000 Highly Sensitive School Records Exposed Online
Highly sensitive information on 682,438 teachers and students at independent schools has been left exposed to the Internet and could be accessed by anyone without a password. The exposed 572.8 GB database was discovered by security researcher Jeremiah Fowler who traced documents in the database to the Southern Association of Independent Schools, Inc (SAIS).
“In my many years as a security researcher, I have seen everything from millions of credit card numbers and health records to internal documents from organizations of all sizes. However, this discovery is among the most sensitive data collections I have ever encountered,” said Fowler. The database contained highly sensitive teacher and student records. Each student record included a photograph of the student, along with their home address, date of birth, age, Social Security number, and health information. Fowler said he discovered third-party security reports that included details of weaknesses in school security, the locations of cameras, access and entry points, active shooter and lockdown notifications, school maps, financial budgets, teacher background checks, and much more. Fowler quickly notified SAIS and the database was rapidly secured.
Fowler was unable to determine how long the database had been exposed and if it was accessed by unauthorized individuals. He said the database was a goldmine for criminals on many levels. The database was hosted in a cloud storage repository and had been mistakenly configured to be non-password protected. The database appeared to be on SAIS’s primary server, and the exposure did not appear to be due to a vendor configuration issue.
Harris Health Systems Confirms Breach of Almost 225,000 Patient Records
Harris County Hospital District, doing business as Harris Health System, has recently reported a data breach affecting 224,703 individuals. On June 2, 2023, Harris Health System was notified about a zero-day vulnerability in the MOVEit Transfer file transfer solution. The vulnerability was immediately addressed; however, the forensic investigation revealed hackers had exploited the vulnerability on May 28, 2023, and downloaded files from the system.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The review of the affected files revealed they contained information such as names, addresses, birth dates, Social Security numbers, medical record numbers, immigration status, driver’s license numbers/ other government-issued identification numbers, health insurance information, procedure information, treatment costs, diagnoses, medications, provider names, and dates of service.
Harris Health System said the vulnerability has been patched and additional steps have been taken to improve the security of its MOVEit server. Affected individuals were notified about the breach on July 21, 2023, and individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring and identity theft protection services.
New England Life Care Reports 51,854-Record Data Breach
New England Life Care in Portland, ME, says it detected a security breach on May 24, 2023, that disrupted its IT systems. The incident was rapidly contained a third-party cybersecurity firm was engaged to conduct a forensic investigation. The analysis confirmed that the exposed files contained patient data such as names, addresses, service/equipment information, and patient status (active/discharged).
The 51,854 affected individuals were notified by mail on July 21, 2023. New England Life Care said additional safeguards and technical security measures have been implemented to prevent similar incidents in the future.
Park Royal Hospital Discovers Unauthorized Email Account Access
Park Royal Hospital in Fort Myers, FL, has discovered unauthorized access to an employee email account. The security breach was detected on May 15, 2023, and the forensic investigation confirmed that the email account was compromised on May 8, 2023. The email account contained protected health information such as patient names, provider names, dates of treatment, and diagnosis and treatment information. The hospital said additional safeguards and technical security measures have been implemented to further protect and monitor its systems.
The incident is still being investigated and notification letters will be mailed when that process is completed. The breach has been reported to the HHS’ Office for Civil Rights as affecting at least 500 individuals.
Email Accounts Compromised at Unified Pain Management
Konen & Associates, doing business as Unified Pain Management in Texas, has recently notified the HHS’ Office for Civil Rights about an email account breach involving at least 500 records. Suspicious activity was detected within its corporate email accounts on March 21, 2023. Steps were immediately taken to prevent further unauthorized access and a third-party digital forensic firm was engaged to conduct an investigation; however, it was not possible to determine if any information within the email accounts had been accessed or downloaded.
The review of the emails confirmed that they contained information such as patient names, addresses, health insurance policy numbers, Social Security numbers, payment information, and health information such as treatment and diagnosis information. Steps have been taken to improve email security and affected individuals have been offered credit monitoring and identity theft restoration services at no cost.
