Jefferson Medical Associates (JMA) mentioned that an unauthorized individual unlawfully accessed and copied one of the practice’s databases. According to the investigation carried out by Mississippi medical group, database access occurred on 1st of June. Also, several remote connection to the database were made from March 25, 2014, and June 1, 2016.
Affected information includes patient names, dates of birth, Social Security numbers, addresses, and phone numbers. Also, limited JMA prescription information, including drug names, dosages, and refill quantities, may also have been involved.
“We sincerely regret any concern or inconvenience this incident has caused or may cause any of our valued patients,” JMA’s Administrator Robby Graham said in a statement. “We take the privacy of their health information as seriously as we do their care. We want to assure our patients and the community we serve that we will continue to work both to understand this incident and to implement measures to further strengthen our data security.”
Investigators said that unauthorized individual accessed the data just to show their ability.
“JMA has not been able to determine whether any of these other connections actually resulted in any acquisition, access, use, or disclosure of patient information, but it is possible,” the medical group explained.
According to the OCR data breach reporting tool, 10,401 individuals may have been affected. Facility will send the emails to affected individuals, Also, one year of credit monitoring and identity protection services is offered.
“I was just going through randomly looking at the publicly available, configured for public access databases on those ports, and this one showed up,” Cybersecurity researcher Chris Vickery told local news station. “When I realized there Social Security numbers and names and phone numbers and prescription information, it dawned on me that ‘hey this probably should not be public if it is real data.’ So then I started the process of trying to figure out whose it was.”
According to the Vickery, “the incident should not be considered a hack because the data was available to anyone who knew where to look.”
“This information is private information,” Jefferson Medical’s legal counsel Katie Gilchrist told the news source. “It’s federally protected information. It’s information that was on our server. This individual accessed it without our permission. He did in secret. There has never been a time when patient information in Jefferson Medical’s possession has been just out there for anyone to get to.”
Alertsec is used by organizations that have recognized the need to protect their information. Over 4 million users worldwide use Alertsec Check Point Full Disk Encryption.