A Huntsville, Ala., clinical diagnostics laboratory has notified more than 7,000 individuals of a HIPAA breach after the company discovered protected health information contained on a third-party server had been unsecured for nearly three years. 

 

Diatherix Laboratories last month notified 7,016 people across the U.S. that their protected health information had been compromised and viewed by unauthorized, outside parties after its billing contractor Diamond Computing Company had one of its server's data accessible through Google.

 

The server, officials noted, contained patient billing documents, health insurance forms, patient names and addressees. Many of the documents also included patient Social Security numbers, dates of birth, diagnoses codes and diagnostics tests ordered. 

 

[See also: Groups hit with record $4.8M HIPAA fine.]

 

After using an outside security firm to investigate the incident, Diatherix discovered the server was unsecured since Sept. 24, 2011. Diatherix further confirmed that files containing patient protected health information had been viewed from the outside in March 2014. Despite the server being unsecured and accessible on the Internet for nearly three years, Diatherix did not realize the security breach until July 2014. 

 

"Our organization takes information security and patient privacy very seriously," read an August notification letter to patients. "We deeply regret this situation and any inconvenience this may cause our patients."

 

Diatherix officials said they have reached out to Google and other search engines known to have indexed the files containing PHI and requested the data be removed. 

 

[See also: OCR: Be prepared for HIPAA audits.]

 

To date, nearly 39 million people have had their protected health information compromised in HIPAA privacy or security breaches involving 500 people or more, according to data from the Department of Health and Human Services.

 

The Office for Civil Rights, the HHS division responsible for investigating HIPAA violations, in recent months has demonstrated that these kind of breaches due to "willful neglect" will not be tolerated, as just this May, OCR slapped New York-Presbyterian Hospital and Columbia University Medical Center with its biggest HIPAA settlement yet -- $4.8 million -- for failing to protect patient data after it wound up on Google. 

 

It was discovered that the HIPAA breach transpired when a Columbia University physician, who developed applications for New York-Presbyterian and the university, attempted to deactivate a personally-owned computer server on the network containing ePHI. Due to lack of technical safeguards, server deactivation resulted in ePHI being accessible on the Internet. 

 

[See also: HIPAA security gaffe puts PHI on Google.]

 

The data was so widely accessible online that the entities learned of the breach after receiving a complaint by an individual who saw the ePHI of their deceased partner, a former NYP patient, online.

 

"Our cases against NYP and CU should remind healthcare organizations of the need to make data security central to how they manage their information systems," said Christina Heide, acting deputy director of health information privacy for OCR, in a press statement announcing the settlement.