Children’s National Health System, based in Washington, D.C., has issued a notice about a potential data breach after a third-party vendor inadvertently misconfigured a file site that enabled patient information to be accessed online.
Accord to a press release about the incident posted on the Children’s National Health System website, the potential data breach could impact patient information for as many as 4,107 patients.
Ascend Healthcare Systems provided medical transcription services to Children’s National between May 1, 2014 and June 23, 2014. On February 25, 2016, Children’s National became aware that Ascend, an outside dictation vendor required under contract to maintain privacy of patient records, had inadvertently misconfigured a File Transfer Protocol (FTP) site—a standard network that is used to store and transfer computer files.
“This might have allowed access from the Internet to transcription documents from a number of healthcare entities including Children’s National. We immediately began an investigation and determined that from February 19, 2016 to February 25, 2016 certain transcriptions could be located through a search engine, such as Google. These transcriptions may have contained patients’ names, dates of birth, medications, and notes by physicians regarding patients’ diagnoses and treatments,” the health system system stated in its online posting.
The information did not contain billing or financial information of Social Security numbers. Children’s National is reaching out to individuals whose data were potentially accessible, the health system stated.
Patient data on the site may have included names, dates of birth, medication, and physicians’ notes regarding diagnosis and treatment.
“As soon as the health system became aware of the issue, the transcription company, Ascend, was contacted and asked to re-secure the site and remove the transcription documents from the Ascend server. Children’s National is not aware of any unauthorized access to or misuse of these documents,” according to the health system.
Children’s National ceased doing business with Ascend on June 23, 2014, and as part of that separation Ascend was contractually obligated to delete all Children’s patient information.