Something went wrong here and a thorough review of risk assessment, business associate agreements, security protections, and incident response seems in order.ĭ reached out to HealthSplash to ask them whether they ever notified BioTel of the leak last August and whether they examined logs to determine how many unauthorized IP addresses may have accessed or downloaded data from the misconfigured bucket. hopes that OCR does not just close its investigation just because BioTel has now disclosed. This incident is not yet up on HHS’s public breach tool. BioTel says it will require the vendor to securely delete all files after they securely provide them to BioTel.But how many unauthorized IP addresses accessed the data? How many downloaded it? But what did BioTel find out from the vendor other than date of exposure, types of data, and the identities of the patients affected? Did the vendor have access logs? BioTel claims that there is no evidence of misuse of the data (and they are offering complimentary monitoring/restoration services).If HealthSplash failed to notify BioTel, this overhead would be ironic. If that’s true, it would appear to be a violation of HIPAA, and it is no surprise to read in the notification that BioTel has terminated its relationship with the vendor. The fact that they say the “discovered” the vendor’s leak in January, 2021 seems to indicate that their vendor never informed them of the incident.The notification makes no mention or admission of that. Their “discovery” at the end of January is only because they didn’t read their email back in August of 2020 and thereafter when we repeatedly reached out to them.Maybe they meant to say that it was not a recent incident but they only discovered it recently? They say that they discovered it on January 28, 2021. It began in 2019 and continued until August 9, 2020, as they note in their letter. In its March 26 notification, BioTel described the incident as “recent.” This was not a “recent” incident.A copy of the notification is embedded below. Yesterday, a template of a notification letter to BioTel’s patients was uploaded to the California Attorney General’s site (BioTel also does business as LifeWatch Services, Inc. He never got back to this site, so has no idea what their internal investigation revealed. He wanted to know how this site had attempted to contact them, and this site wanted to know whether it was their bucket and why neither they nor HealthSplash/SplashRx had responded to multiple attempts to contact them. He informed this site that they had just discovered this site’s August, 2020 report about them having a leak and they were conducting an internal investigation to find out why they had known nothing about it until they came across this site’s reporting. On February 2, got a phone call from a lawyer for BioTel. Getting no answers and seeing no disclosures despite the fact that more than 3 months had passed since the bucket owner had been notified by Amazon and the bucket had been secured, filed a watchdog complaint against both entities with OCR in November. But continued to try to contact the entities to inquire whether either was notifying regulators or patients. On August 9, the bucket was secured and reported on the leak shortly thereafter. As is their policy, however, Amazon never told the researcher who their client was - only that they contacted them to secure the bucket. It was only with Amazon’s assistance that the researcher was able to get the bucket secured. HealthSplash appeared to be involved in insurance billing somehow for BioTel Heart, but neither entity responded to multiple attempts by this site to contact them to alert them to the fact that ePHI was exposed and possibly had been exposed since 2019. The files had some recurring names on them, but neither the researcher nor were ever able to conclusively determine who owned the bucket, although it appeared to be either BioTel Heart or HealthSplash/SplashRx. The researcher shared the data with in an attempt to determine who owned the storage bucket. They came from numerous medical providers. The files included medical histories, findings, and insurance billing documentation requests. The leaky Amazon s3 bucket appeared to be storing files related to patients having cardiac diagnostic monitoring and evaluation. In August, 2020, reported on a data leak discovered by a researcher. But why didn’t they know about it already from the vendor last year or from the notifications this site had sent them last year? A cardiac monitoring firm is now notifying patients after a Google search on their name in January led them to an August, 2020 report on this site about a vendor’s leak.
0 kommentar(er)
