Software Firm Notifying Patients Practices of Data Exposure
p
Cloud Security
Data Breach Notification
Data Security
ppA vendor of cloudbased orthodontic practice software is notifying an undisclosed number of patients that their data was exposed to the internet for 10 days last November But the security researcher who discovered the unsecured database alleges the exposure appears to have lasted longer than that and affected at least 200000 patientsppSee Also A Modern Approach to Data SecurityppGeorgiabased OrthoMinds in a public statement Thursday said it is notifying clients and individuals potentially affected by the data security breachppIn November 2024 OrthoMinds learned of a potential incident within its network environment Upon discovery OrthoMinds launched an investigation into the nature and scope of this potential incident including remediation efforts the company said OrthoMinds investigation determined that files and folders stored on certain databases may have been accessible to others outside its organization between Nov 17 and Nov 27 2024 the firm saidppAs a result OrthoMinds remediated to prevent the potential for ongoing access and began an extensive review of these files and folders to determine whether sensitive information may be impacted the company saidppThe information potentially compromised include names dates of birth medical information health insurance information payment card information and Social Security numbersppBut the security researcher who discovered the unsecure data and notified OrthoMinds about his findings last November told Information Security Media Group that the server containing the databases was exposed at least since October 2024 if not longerppIt appears that potentially hundreds of OrthoMinds clients and more than 200000 patients were affected by the exposure he saidppThe researcher who goes by the handle JayeLTee issued a report in January about his OrthoMinds discovery JayeLTee told ISMG that he monitors millions of endpoints for exposed data and tries to find things to report between all the junkppAround Oct 23 2024 this server showed up on my logs along with hundreds of thousands of other servers as allowing listing of files with no authentication he said It was only in November 2024 that I eventually looked specifically at this server to see what was exposed and then contacted the company So the server was exposed at least since October 2024ppIn his January report JayeLTee said he found exposed 186371 gigabytes of data or more than 300 database backups dating from November 2020 through midOctober 2024 belonging to dental clinics that are OrthoMinds clientsppIt was 300 files exposed but some clients had multiple backup files that looked like they spanned through multiple years from the timestamps on the filenames so the client number would be less than that he said It was at a minimum over 200000 patients just by looking at one of the backups but I have no clue how much more than that he told ISMGppOrthoMinds initially reported the breach to federal regulators on Jan 24 as a hackingIT incident involving a network server and other IT The company told the US Department of Health and Human Services that the incident affected 501 individuals but that estimate was likely a placeholder figure at the timeppOrthoMinds did not immediately respond to ISMGs request for additional details about the incident clarification about the actual number of individuals and clients affected and whether the firm was filing an updated breach report to HHS OCRppIn a breach notice posted on its website OrthoMinds said that it has no evidence indicating that information was misused or there were attempts to misuse to dateppOrthoMinds said it is offering complimentary credit monitoring to individuals whose Social Security numbers or payment card information may have been compromised in the incidentppOrthoMinds also reviewed and enhanced existing policies and implemented additional technical security measures to further protect against similar incidents moving forward the company saidppUnfortunately incidents involving the exposure of data to the internet because of IT misconfigurations or similar mishaps are a persistent problem in healthcare as well as other sectorsppWhat happened here was the company left a cloud storage server with no access controls and anyone who found this server could list all the files and download them with no authentication at all JayeLTee told ISMGppOther security researchers have discovered similar incidents involving the exposure of unsecured health data to the webppThat includes researcher Jeremiah Fowler of security services firm Security Discovery in February disclosing the discovery of an unsecured database containing 2 terabytes of data allegedly exposing more than 16 million clinical trial research records to the internet related to Houstonbased DM Clinical Research a multitherapeutic network of clinical trial sites see Clinical Trial Database Exposes 16M Records to WebppThat discovery was among many others by Fowler involving exposures of health data and other sensitive information see Mental Health Records Database Found Exposed on WebppFederal regulators have taken HIPAA enforcement actions in at least one large incident involving protected health information exposure because of a misconfiguration see Clearinghouse Pays 250K Settlement in Web Exposure BreachppThis is indeed really common the exact reasons why this happens though is unknown to me as I dont ask why and companies dont usually disclose it either JayeLTee told ISMG while also talking about the reoccurring mishaps involving the unintentional leakage of sensitive data to the webppBut it all comes down to companies not properly securing their environments and leaving data publicly exposed he saidppExecutive Editor HealthcareInfoSecurity ISMGppMcGee is executive editor of Information Security Media Groups HealthcareInfoSecuritycom media site She has about 30 years of IT journalism experience with a focus on healthcare information technology issues for more than 15 years Before joining ISMG in 2012 she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeeks healthcare IT media sitepp
ppCovering topics in risk management compliance fraud and information securityppBy submitting this form you agree to our Privacy GDPR StatementppwhitepaperppwhitepaperppwhitepaperppGovernance Risk ManagementppCybersecurity SpendingppCritical Infrastructure SecurityppAgentic AIppEndpoint SecurityppContinue pp
90 minutes Premium OnDemand
ppOverviewppFrom heightened risks to increased regulations senior leaders at all levels are pressured to
improve their organizations risk management capabilities But no one is showing them how
until nowppLearn the fundamentals of developing a risk management program from the man who wrote the book
on the topic Ron Ross computer scientist for the National Institute of Standards and
Technology In an exclusive presentation Ross lead author of NIST Special Publication 80037
the bible of risk assessment and management will share his unique insights on how toppSr Computer Scientist Information Security Researcher
National Institute of Standards and Technology NISTppWas added to your briefcaseppSoftware Firm Notifying Patients Practices of Data ExposureppSoftware Firm Notifying Patients Practices of Data Exposurepp
Just to prove you are a human please solve the equation
ppSign in now ppNeed help registering
Contact support
ppComplete your profile and stay up to dateppContact Support ppCreate an ISMG account now ppCreate an ISMG account now ppNeed help registering
Contact support
ppSign in now ppNeed help registering
Contact support
ppSign in now ppOur website uses cookies Cookies enable us to provide the best experience possible and help us understand how visitors use our website By browsing bankinfosecuritycom you agree to our use of cookiesp
Cloud Security
Data Breach Notification
Data Security
ppA vendor of cloudbased orthodontic practice software is notifying an undisclosed number of patients that their data was exposed to the internet for 10 days last November But the security researcher who discovered the unsecured database alleges the exposure appears to have lasted longer than that and affected at least 200000 patientsppSee Also A Modern Approach to Data SecurityppGeorgiabased OrthoMinds in a public statement Thursday said it is notifying clients and individuals potentially affected by the data security breachppIn November 2024 OrthoMinds learned of a potential incident within its network environment Upon discovery OrthoMinds launched an investigation into the nature and scope of this potential incident including remediation efforts the company said OrthoMinds investigation determined that files and folders stored on certain databases may have been accessible to others outside its organization between Nov 17 and Nov 27 2024 the firm saidppAs a result OrthoMinds remediated to prevent the potential for ongoing access and began an extensive review of these files and folders to determine whether sensitive information may be impacted the company saidppThe information potentially compromised include names dates of birth medical information health insurance information payment card information and Social Security numbersppBut the security researcher who discovered the unsecure data and notified OrthoMinds about his findings last November told Information Security Media Group that the server containing the databases was exposed at least since October 2024 if not longerppIt appears that potentially hundreds of OrthoMinds clients and more than 200000 patients were affected by the exposure he saidppThe researcher who goes by the handle JayeLTee issued a report in January about his OrthoMinds discovery JayeLTee told ISMG that he monitors millions of endpoints for exposed data and tries to find things to report between all the junkppAround Oct 23 2024 this server showed up on my logs along with hundreds of thousands of other servers as allowing listing of files with no authentication he said It was only in November 2024 that I eventually looked specifically at this server to see what was exposed and then contacted the company So the server was exposed at least since October 2024ppIn his January report JayeLTee said he found exposed 186371 gigabytes of data or more than 300 database backups dating from November 2020 through midOctober 2024 belonging to dental clinics that are OrthoMinds clientsppIt was 300 files exposed but some clients had multiple backup files that looked like they spanned through multiple years from the timestamps on the filenames so the client number would be less than that he said It was at a minimum over 200000 patients just by looking at one of the backups but I have no clue how much more than that he told ISMGppOrthoMinds initially reported the breach to federal regulators on Jan 24 as a hackingIT incident involving a network server and other IT The company told the US Department of Health and Human Services that the incident affected 501 individuals but that estimate was likely a placeholder figure at the timeppOrthoMinds did not immediately respond to ISMGs request for additional details about the incident clarification about the actual number of individuals and clients affected and whether the firm was filing an updated breach report to HHS OCRppIn a breach notice posted on its website OrthoMinds said that it has no evidence indicating that information was misused or there were attempts to misuse to dateppOrthoMinds said it is offering complimentary credit monitoring to individuals whose Social Security numbers or payment card information may have been compromised in the incidentppOrthoMinds also reviewed and enhanced existing policies and implemented additional technical security measures to further protect against similar incidents moving forward the company saidppUnfortunately incidents involving the exposure of data to the internet because of IT misconfigurations or similar mishaps are a persistent problem in healthcare as well as other sectorsppWhat happened here was the company left a cloud storage server with no access controls and anyone who found this server could list all the files and download them with no authentication at all JayeLTee told ISMGppOther security researchers have discovered similar incidents involving the exposure of unsecured health data to the webppThat includes researcher Jeremiah Fowler of security services firm Security Discovery in February disclosing the discovery of an unsecured database containing 2 terabytes of data allegedly exposing more than 16 million clinical trial research records to the internet related to Houstonbased DM Clinical Research a multitherapeutic network of clinical trial sites see Clinical Trial Database Exposes 16M Records to WebppThat discovery was among many others by Fowler involving exposures of health data and other sensitive information see Mental Health Records Database Found Exposed on WebppFederal regulators have taken HIPAA enforcement actions in at least one large incident involving protected health information exposure because of a misconfiguration see Clearinghouse Pays 250K Settlement in Web Exposure BreachppThis is indeed really common the exact reasons why this happens though is unknown to me as I dont ask why and companies dont usually disclose it either JayeLTee told ISMG while also talking about the reoccurring mishaps involving the unintentional leakage of sensitive data to the webppBut it all comes down to companies not properly securing their environments and leaving data publicly exposed he saidppExecutive Editor HealthcareInfoSecurity ISMGppMcGee is executive editor of Information Security Media Groups HealthcareInfoSecuritycom media site She has about 30 years of IT journalism experience with a focus on healthcare information technology issues for more than 15 years Before joining ISMG in 2012 she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeeks healthcare IT media sitepp
ppCovering topics in risk management compliance fraud and information securityppBy submitting this form you agree to our Privacy GDPR StatementppwhitepaperppwhitepaperppwhitepaperppGovernance Risk ManagementppCybersecurity SpendingppCritical Infrastructure SecurityppAgentic AIppEndpoint SecurityppContinue pp
90 minutes Premium OnDemand
ppOverviewppFrom heightened risks to increased regulations senior leaders at all levels are pressured to
improve their organizations risk management capabilities But no one is showing them how
until nowppLearn the fundamentals of developing a risk management program from the man who wrote the book
on the topic Ron Ross computer scientist for the National Institute of Standards and
Technology In an exclusive presentation Ross lead author of NIST Special Publication 80037
the bible of risk assessment and management will share his unique insights on how toppSr Computer Scientist Information Security Researcher
National Institute of Standards and Technology NISTppWas added to your briefcaseppSoftware Firm Notifying Patients Practices of Data ExposureppSoftware Firm Notifying Patients Practices of Data Exposurepp
Just to prove you are a human please solve the equation
ppSign in now ppNeed help registering
Contact support
ppComplete your profile and stay up to dateppContact Support ppCreate an ISMG account now ppCreate an ISMG account now ppNeed help registering
Contact support
ppSign in now ppNeed help registering
Contact support
ppSign in now ppOur website uses cookies Cookies enable us to provide the best experience possible and help us understand how visitors use our website By browsing bankinfosecuritycom you agree to our use of cookiesp
