NTreatment, a technology company that manages electronic health and patient records for doctors and psychiatrists, left thousands of sensitive health records exposed to the internet because one of its cloud servers wasn’t protected with a password.
The cloud storage server was hosted on Microsoft Azure and contained 109,000 files, a large portion of which contained lab test results from third-party providers like LabCorp, medical records, doctors’ notes, insurance claims and other sensitive health data for patients across the U.S., a class of data considered protected health information under the Health Insurance Portability and Accountability Act (HIPAA). Running afoul of HIPAA can result in steep fines.
None of the data was encrypted, and nearly all of the sensitive files were viewable in the browser. Some of the medical records belonged to children.
TechCrunch found the exposed data as part of a separate investigation. It wasn’t initially clear who owned the storage server, but many of the electronic health records that TechCrunch reviewed in an effort to trace the source of the data spillage were tied to doctors and psychiatrists and healthcare workers working at hospitals or networks known to use nTreatment. The storage server also contained some internal company documents, including a non-disclosure agreement with a major prescriptions provider.
The data was secured on Monday after TechCrunch contacted the company. In an email, nTreatment co-founder Gregory Katz said the server was “used as a general purpose storage,” but did not say how long the server was exposed.
Katz said the company would notify affected providers and regulators of the incident.
It’s the latest in a series of incidents involving the exposure of medical data. Earlier this year we found a bug in LabCorp’s website that exposed thousands of lab results, and reported on the vast amounts of medical imaging floating around the web.