Last month, I received a letter that a Business Associate’s medical information that they use was breached. This possibly resulted in my medical information being leaked. Remember, a Business Associate is not where a patient receives treatment but a third party vendor, someone the Covered Entity you went to trusts with your medical information.
What is interesting here is I always thought the Covered Entity was responsible for notifying patients. Even in the case when the Business Associate is at fault. But in this case, MedEvolve notified me. I’m guessing because this effected multiply Covered Entities.
How does something like this happen? Probably, when troubleshooting to get it working, someone, “opened up” firewall rules or access rights. Then, when they or the person they were assisting were able to get to it; problem solved. They didn’t realize they just created a security hole where anyone on the Internet could get to the resource. They might have intended to go back and tighten it up appropriately but the crisis of not being able to access was over and time passed with the security hole just sitting there.
This happens all the time, to get it working, IT personnel undo a security constraint(s) in a broad swath. They solve the “crisis’ of someone not able to access a resource but in the wake, they leave a security hole that could lead to information being breached. They most likely think they will go back later that evening, but never do.