In a cloud storage security lapse, NTreatment exposed around 109,000 files that contained health records and lab results.
The said cloud server was hosted on Microsoft Azure.
NTreatment, a U.S.-based health tech company, experienced a security lapse on one of its cloud storage servers hosted on Microsoft Azure, which lacked password protection. The incident exposed around 109,000 files that contained health records, doctors’ notes, insurance details and claims, lab results, and much more. NTreatment, if proven guilty for the lack of basic security protocols, can attract a hefty fine from the Health Insurance Portability and Accountability Act (HIPAA).
Reason Behind the Lapse
NTreatment provides electronic health records (EHR) maintenance services for doctors based in the U.S. The lapse was found when researchers from TechCrunch stumbled upon the trove during a separate investigation. However, with the amount of PII being exposed, they decided to investigate it deeper. Researchers found three astonishing findings:
- The Microsoft Azure server used to store the data that did not have any password.
- None of the data discovered on the server was encrypted.
- All the exposed data could be easily viewed in any browser.
NTreatment’s exposed data contained the following set of information:
- Lab test results from third-party providers like LabCorps.
- Medical records, doctors’ notes, insurance claims, and other sensitive health data of patients having tie-up doctors and healthcare providers using NTreatment HER services.
- Company’s internal documents, including a non-disclosure agreement (NDA) with a prescription provider.
TechCrunch’s researchers reached out to NTreatment to get the issue fixed to which they responded promptly. For the time being, any exploitation or download of the said data is not known. However, the set of data exposed included a certain subset of information, which is deemed highly protected under the HIPAA. Although they have dodged the bullet from threat actors, the researchers believe that NTreatment can be slapped with a heavy fine.