Lab Results & Medical Records Data Breach

nTreatment, a firm specializing in technology for the management of electronic health records and patient information for physicians and mental health professionals, inadvertently made thousands of confidential health records accessible online due to a lack of password protection on one of its cloud servers.

The cloud storage server, operating on the Microsoft Azure platform, held 109,000 files. A significant number of these files comprised laboratory test results originating from companies such as LabCorp, alongside medical histories, physician’s clinical observations, insurance submissions, and other private health information pertaining to patients throughout the United States. This type of data falls under the category of protected health information as defined by the Health Insurance Portability and Accountability Act (HIPAA), and violations of HIPAA regulations can lead to substantial financial penalties.

The data was not secured through encryption, and the vast majority of the sensitive files were directly accessible through a web browser. The compromised records included information relating to pediatric patients.

TechCrunch discovered the exposed data during a separate research project. Initially, the owner of the storage server was unknown, but a review of the electronic health records by TechCrunch to determine the source of the data leak revealed connections to doctors, psychiatrists, and healthcare personnel affiliated with hospitals and networks that utilize nTreatment’s services. The server also contained internal company documentation, including a confidentiality agreement with a prominent pharmaceutical provider.

The data was secured following contact from TechCrunch on Monday. In a statement, nTreatment co-founder Gregory Katz described the server as being “utilized for general storage purposes,” but did not specify the duration of the exposure.

Mr. Katz stated that the company would inform impacted healthcare providers and relevant regulatory bodies about the security incident.

This incident represents the most recent in a growing number of cases involving the unauthorized disclosure of medical data. Previously this year, a vulnerability in LabCorp’s website resulted in the exposure of numerous lab results, and reports have surfaced regarding the widespread availability of medical imaging data on the internet.