Breastcancer.org (“BCO”) is reported to have misconfigured its data storage, exposing “hundreds of thousands” of user files containing sensitive medical images.
According to the SafetyDetectives, a pro bono research lab, BCO’s unsecured data exposed over 350,000 files, containing user images and EXIF data attached to posted images. With images and EXIF data available to be freely viewed, BCO may have revealed users’ medical conditions, along with where they live, get medical treatment, and any number of other pieces of personal information.
The exposed images were found by the research lab to comprise, in part, medical test results and patient images, both clothed and nude. The data is purported to have contained files dating back to 2017.
SafetyDetectives has stated that it informed Breastcancer.org about the exposed data on November 17, 2021, and then again on November 21, 2021. When no response was received, it sent further messages on December 14, 2021. SafetyDetectives reported that it found the data secured on May 4, 2022.
Large caches of unsecured personal medical information have been found online by others. For example, the MacKeeper Security Research team reported that they had discovered unsecured plastic surgery records online in 2016 and 2017. And the CybelAngel reported a massive trove of 45 million unsecured medical images on unprotected servers in 2020.
As noted by the California Attorney General,
“The privacy and security of health data is essential and protects the public from losses that could result from the fraudulent use of consumers’ personal information obtained from a breach of health data.”
California’s commitment to the confidentiality of medical records is longstanding. In 2017, the California Attorney General announced that a settlement with Cottage Health System that required the payment of a $2 million penalty for Cottage Health’s alleged failure to adequately protect patient records. According to filed Complaint in that matter, more than 50,000 patient records were available online without encryption or other protections to prevent unauthorized access.
California Laws Protect Patient Personal Information
If you are a California resident, the California Confidentiality of Medical Information Act (CMIA) requires that many businesses that maintain medical information do so in a manner that preserves its confidentiality.
Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring. Under the CMIA, you may be entitled to $1,000 and your actual damages resulting from the negligent release of your confidential information.