Data Breach Notification
,
Data Security
,
Healthcare
Lawsuits Emerge Following Discovery of Unprotected Patient Records
A security researcher recently uncovered a significant security breach involving an unencrypted database lacking password protection, revealing personal information of nearly one million medical marijuana patients. This discovery has led to at least six lawsuits against an Ohio company, Ohio Medical Alliance, which assists patients in obtaining physician-approved medical marijuana cards.
See Also: Built for Healthcare Compliance: Identity Strategies That Reduce Cyber Risk
The class action lawsuits filed in an Ohio federal court allege negligence on the part of Ohio Medical Alliance, asserting that the firm failed to adequately protect sensitive personal and health information. The plaintiffs argue that this oversight exposes individuals to risks such as fraud and identity theft.
Ohio Medical Alliance facilitates telemedicine consultations with state-certified medical marijuana physicians to determine patient eligibility for treatments. Once approved, patients receive a physician-certified card via email from the Ohio Board of Pharmacy, enabling them to purchase medical marijuana products.
According to the company’s website, insurance is not accepted for these consultations, with a note that such services are currently not covered. They expressed hope for future changes in this regard.
Details of the Breach
The lawsuits stem from findings reported by security researcher Jeremiah Fowler, who disclosed an unsecured 300-gigabyte database containing 957,434 patient records. This database, which lacked proper access controls, included sensitive documents such as high-resolution images of driver’s licenses, names, addresses, dates of birth, and license numbers.
The uncovered information included patient intake forms, medical records, release forms, certification documents with Social Security numbers, and mental health evaluations. Fowler noted that the medical documents revealed diagnoses and the reasons patients sought medical marijuana prescriptions.
Additionally, the exposed content comprised approximately 210,620 email addresses of clients and internal employees. After discovering the data exposure during July 12-13, Fowler notified Ohio Medical Alliance on July 14, leading to the database being secured from public access the next day.
It remains unclear whether Ohio Medical Alliance directly managed the database or if a third-party contractor was responsible. Fowler highlighted that a thorough internal audit would be necessary to ascertain the extent of the exposure and any potential unauthorized access.
Allegations in the Lawsuit
The lawsuits assert that Ohio Medical Alliance has yet to disclose details about the cybersecurity incident, including its root cause and the duration of the exposure. The firm has not responded to requests for comment regarding the ongoing litigation or Fowler’s findings.
Fowler indicated that he has not received any communication from Ohio Medical Alliance following his responsible disclosure notification, stating, “They simply restricted access to the files and never replied.” He also mentioned not being contacted by any attorneys representing the plaintiffs in the lawsuits.
Fowler’s expertise extends to identifying various exposed databases containing sensitive information, emphasizing the need for organizations to understand the importance of protecting digital identities. He acknowledged the challenges posed by the current patchwork of data protection laws, especially concerning healthcare data.
Regulatory Implications
While some regulatory attorneys have noted that Ohio Medical Alliance may not qualify as a HIPAA-covered entity, it could still act as a business associate under HIPAA regulations. This distinction hinges on whether the firm electronically transmits protected health information as part of transactions related to insurance claims or eligibility checks.
Given that Ohio Medical Alliance states it does not accept insurance, it may not meet qualifications as a covered entity. However, its role in telemedicine consultations may implicate it as a business associate, thus adhering to HIPAA compliance measures. Legal experts warn that the organization could face scrutiny under both state and federal laws relating to consumer data privacy.
The incident underscores systemic issues in data protection within the healthcare sector, highlighting the urgency for more robust safeguards. As litigation progresses, industry observers anticipate common paths for data breach class action cases, potentially culminating in settlements that offer minimal compensation to affected individuals.
This situation brings to light the necessity for organizations in regulated industries, especially those handling sensitive health information, to reassess their data security strategies and foster greater accountability for protecting personal data.
