Kingman Regional Medical Center (KRMC) is in the process of notifying patients that their sensitive data may have been compromised following the discovery of a flaw on its website which may have allowed unauthorized users to access patient data.
KRMC became aware of the security issue on April 8, 2019. Their IT team immediately took steps to shut down the website. An investigation was launched into how such a flaw was introduced to the site. KRMC hired a third-party computer forensics company to assist with their investigation.
The investigators determined that the website was incorrectly configured such that unauthorized individuals may have been able to gain access to patient information.
The website was housed on an isolated server, so any access to data was limited to the information stored on the server. Only a small subset of KRMC’s total patient base was affected by the breach, limited to patients who used the website to enter information related to their care, such as making an appointment. The information affected by the breach included patient names, dates of birth, and information supplied related to a medical condition for which medical services were being requested.
Following HIPAA’s Breach Notification Rule, KRMC sent letters by mail to affected patients on June 7, 2019. The KRMC website has been offline now for more than 2 months. KRMC is in the process of rebuilding the website with enhanced privacy and security safeguards.
Teri Williams, KRMC’s Communications and Marketing Director, has said the organization “employs strict international protocols for protecting the security of our medical systems, which meet hospital accreditation criteria and federal standards. Since our website is ‘public’ it is not subject to those same protocols. Going forward, we have engaged a cybersecurity firm that is developing a more secure site with more detailed audit and alert capabilities.”
HIPAA includes stringent rules on website security to which covered entities must adhere. These include ensuring that only individuals who have proper authorization to access patient data have the permissions to do so. As KRMC’s breach was due to an accidentally misconfigured server, it is yet unknown what enforcement action may be taken against the organization for the breach.