Server glitch exposed PHI of 7k patients for 3 years

The protected health information (PHI) of 7,016 patients at Diatherix Laboratories, a Huntsville, Ala.-based company, was exposed for three years online after its contractor, Diamond Computing Company, accidentally allowed one of its computer servers to be made accessible through the internet.

After an investigation, Diatherix discovered that the information first became unsecure on Sept. 24, 2011 and was accessed on Oct. 16, 2011—but not PHI was viewed at this time. However, PHI was accessed on March 7, according to a notice to patients.

“As soon as the lapse was discovered, Diatherix took immediate steps to secure the PHI,” the company said. The server was shut down on July 10.

The type of information breached include patient name, patient account number, address, date of test, insurance information and insurance information. A limited number of the documents included Social Security numbers, dates of birth, diagnosis codes and the type of test ordered for the patient but none included laboratory test results, banking information or credit care information.

Diatherix implemented the following security measures to minimize the risk of future incidents:

• Confirming that Diamond Computing Company has destroyed or secured all information of Diatherix patients that was stored on the server;
• Contacting Google and other search engines known to have accessed documents containing PHI and requesting that all PHI be removed from their files; and
• Initiating a security review of other, similar Diatherix vendors who have access to PHI to confirm their security procedures.

“We deeply regret this situation and any inconvenience this may cause our patients,” according to the notice. Diatherix gave affected patients a pre-paid one year protection plan with a lead credit reporting agency.