Cyber threat firm’s error exposes health data of 1.6M Puerto Ricans

As many as 1.6 million individuals in Puerto Rico may have their health information exposed because of a snafu by an information technology vendor.

Inmediata Health Group operates a database that captures current cyber threats and assesses, remediates and monitors risks to critical business systems and data. In January, Inmediata became aware that protected data was viewable online because a web page setting permitted search engines to index internal webpages used for business operations.

“Based on the current findings of the ongoing investigation, we have no evidence that any files were copied or saved,” Inmediata told affected individuals in a breach notification letter. “In addition, we have not discovered any evidence to suggest that any information potentially involved in this incident has been subject to actual or attempted misuse.”

Moore-John-CROP5-23.jpg

The organization also noted that only a very small group of persons may have had Social Security numbers compromised, and letters mailed to individual patients specifically stated what types of their data may have been at risk.

Also See: Info for nearly 1M patients exposed on UW Medicine web server

The breach notification does not include an offer of protective services, but it includes information on steps individuals can take to monitor and protect their data.

Jon Moore, senior vice president and chief risk officer at Clearwater, a cyber risk assessment firm, speculates that sufficient controls were not put in place before the website was activated.

“Many vendors underestimate the risk posed by technology that we already use,” he notes. “Vendors make technology easy to deploy, but it’s also easy to set up wrong and put the system into production with insufficient controls.”

Healthcare organization, he adds, need to have appropriate administrative and technical controls and establish baseline configurations for servers, hardening of servers and monitoring of servers on an ongoing basis.

There was no immediate response from Inmediata to a request for additional information on the data breach.

For reprint and licensing requests for this article, click here.