A database containing the personally identifiable information (PII) of more than 16,000 children has been exposed over the Internet and could be accessed without a password or any other form of authentication. The database was found by security researcher Jeremiah Fowler and the Website Planet team and was traced to Tridas Group LLC. Tridas Group is the developer of Tridas eWriter, a web-based software solution that allows parents and teachers to rapidly complete interviews to facilitate the diagnosis and management of children with developmental and behavioral issues.
Fowler sampled 1,000 records and said all of the records contained at least some form of PII of children, with each of the records having a unique patient ID number. The records also included names, birth dates, home addresses, school attended, special needs, medical diagnoses, and details of behavioral or social problems. The records appeared to be questionnaires that had been completed by parents ahead of their first evaluation appointment.
According to the website planet report, the database could be accessed by anyone “through a misconfigured IP that showed the host domain, login portal, and where the data was stored.” The researchers were unable to determine for how long the records had been exposed or if those records had been accessed by unauthorized individuals. There were no indications that the database included test data or dummy records and, in many cases, the records recorded behavioral problems in great detail. According to the Trident website, the Trident Center closed on December 31, 2019. Further details can be found in the Website Planet report.
South Walton Fire District Ransomware Attack Affects Up to 25,331 Individuals
South Walton Fire District in Florida has recently announced that it was the victim of a ransomware attack in late May 2022. The fire district, which provides fire protection and emergency medical services, discovered on May 30 that an unauthorized third party had gained access to its computer network. Assisted by third-party cybersecurity experts, the fire district learned that the threat actor had access to parts of the network that contained information protected under HIPAA, including names, addresses, Social Security numbers, dates of birth, treatment dates, medical diagnostic and treatment information, and health insurance information.
The investigation and subsequent verification of contact information for affected individuals were completed in October 2022. Notification letters have now been sent to affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. The fire department confirmed that it was able to secure its digital environment without paying the ransom demand and has implemented additional layers of security to prevent further incidents in the future.
The breach has been reported to the HHS’ Office for Civil Rights as affecting 25,331 individuals.
The post Unsecured Database Exposed 16,000+ Children’s Records appeared first on HIPAA Journal.