Nearly 1 million patient records leaked after telemarketer blunder

A failed contract to build a customer database for HealthNow Networks, left personal health information exposed online for months, according to an investigation by ZDNet and DataBreaches.net.
By Jessica Davis
04:02 PM

The personal health data of 918,000 seniors was posted online for months, after a software developer working for HealthNow Networks uploaded a backup database to the internet, an investigation by ZDNet and DataBreaches.net found.

Boca Raton, Florida-based HealthNow Networks is a telemarketing company that used to provide medical supplies to mostly seniors who rely on diabetic equipment. However, it’s no longer a registered business as of 2015, when it failed to file an annual report with Florida authorities.

The software developer was contracted to build a customer database for HealthNow Networks, but the developer told researchers it was "too much work." The database in question was found on MediboxSolutions, which is owned by the developer.

The developer did not explain to the researchers why he still had control of the data or delete it after all this time, as the HealthNow Networks project was three years ago. The database has since been deleted.

The exposed database included names, addresses, dates of birth, telephone numbers, emails, Social Security numbers, health insurance carriers, policy numbers and medical conditions. The researchers also found notes about patients from telemarketers that included highly-sensitive information about family make-up and specific health conditions.

[Also: Does HIPAA need refreshing for the 21st Century? AHIMA wonders]

Fortunately, many records were truncated or incomplete. But the database contained 321,920 unique email addresses, which increases the likelihood and success of spam, malware or ransomware campaigns targeted to diabetic patients.

Many of the people included in the database gave health insurance details to the telemarketer in exchange for diabetic supplies for a lower price, according to researchers.

As HealthNow Networks isn’t covered under HIPAA, it’s unlikely the patients included in the breach will be notified. But the FTC has been contacted.

Twitter: @JessiefDavis

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.