"Misconfigured Server Exposed PHI of 600,000 Inmates"

A server misconfiguration at a company that processes medical claims for correctional facilities exposed sensitive information on nearly 600,000 inmates. CorrectCare Integrated Health Inc. of Kentucky reported to the US Department of Health and Human Services (HHS) on October 31 at least three "unauthorized access/disclosure" breaches involving its server misconfiguration incident that affected nearly 500,000 people. The HHS Office for Civil Rights' HIPAA Breach Reporting Tool website also lists several breaches reported by CorrectCare's clients in recent weeks, affecting an additional 100,000 people. Clients include the Louisiana Department of Public Safety and Corrections, Sacramento County Adult Correctional Health, and Mediko Correctional Healthcare, a company that provides medical and mental health services to inmates in correctional facilities. Two file directories on a CorrectCare web server had been exposed to the Internet, according to a notification letter. According to CorrectCare, the file directories contained Protected Health Information (PHI) of individuals who were incarcerated in the state prison. The exposed file directories contained patient information such as full names, dates of birth, Social Security numbers, and limited health information such as diagnosis codes and procedure codes. CorrectCare says no driver's license numbers, financial accounts, or payment cards were compromised. This article continues to discuss the exposure of PHI on 600,000 inmates due to a server misconfiguration. 

InfoRiskToday reports "Misconfigured Server Exposed PHI of 600,000 Inmates"