Yes, you read that headline right. A cloud-based telecommunications provider has accidentally leaked the contents of some 350 million individual records. A subset of these records included transcripts that referred to financial and medical information.
Background
Broadvoice, a cloud-based Voice over IP (VoIP) provides telecommunications services to small, medium, and enterprise-level companies all over the United States. These companies include law firms, retail stores, and also medical offices.Bob Diachenko, working on behalf of tech security firm Comparitech to index the Shodan.io IoT search engine, discovered an Elasticsearch cluster that contained ten data collections that stored 350 million voicemails without any password protection that had just been indexed into the search engine. An Elasticsearch database is an open-source tool that allows for real-time searching and data analysis. The misconfigured collection labeled “People Production” had account ID numbers of Broadvoice’s customers. This allowed researchers to cross-reference the entries with records in the other collections to identify Broadvoice as the common denominator. The largest subset of the ten collections consisted of 275 million records with full caller names, identification numbers, phone numbers, as well as city and state identifiers of the individuals involved. Another subset included 2 million voicemail records which included 200,000 transcripts that detailed medical identifiers like individual business names, clinical staff labels, appointments, as well as financial information. One transcript even included a caller identifying themselves by name and discussing a recent positive COVID-19 diagnosis.
What happened next
As a result of his findings, Diachenko reached out to Broadvoice to disclose his discovery and only got an automated response with no further correspondence. If this sounds familiar, it’s because we’ve covered this type of thing before.SEE ALSO: GitHub Leaks Healthcare Information – HHS Still Likely UnawareUnlike parties involved in the GitHub breach, Broadvoice responded quickly by locking down the database on October 2nd, one day after Diachenko notified the company. Perhaps Broadvoice CEO Jim Murphy had been reading our blog all along.
What could have happened
Say Broadvoice did not lock its files down fast enough. Malicious actors could have used the information that had been exposed to facilitate targeted email phishing attacks. During the attack, hackers could have posed as Broadvoice or a client and convinced customers to provide login credentials or financial information. Subsequently, hackers could have either held the data as ransom and threatened to expose it on the black market or they could have used the credit card information to drain the customer’s bank account. The latter is a form of identity theft that can result in thousands of dollars in expenses that the customer must pay in order to correct the issue.
The main issue
The major problem here is that Broadvoice left a database open without any authentication required for access. Because lots of personal information flows through Broadvoice’s systems on behalf of doctor’s offices, law firms, retail stores, and other businesses, having a database cluster with client information that doesn’t even require a password to access is absolutely egregious. Two-factor authentication is specifically designed to stop leaks like this from occurring and can satisfy the electronic PHI (ePHI) access requirements as per the HIPAA Security Rule. Additionally, since Broadvoice stores PHI on behalf of its healthcare customers, it should have executed a business associate agreement (BAA). The purpose of a BAA is that a business associate agrees to protect PHI. Medical providers that partner with services that do not sign a BAA open themselves up to severe liabilities. As a result of this leak, Broadvoice could be subject to millions of dollars worth of fines; HHS is no stranger to doling them out to business associates as well as covered entities.SEE ALSO: Business Associate Pays $2.3 Million for HIPAA Noncompliance
Why you should work with Paubox
While we aren’t in the business of VoIP, we are in the business of electronic data security.Paubox Email Suite provides HIPAA compliant email by default with two-factor authentication built in. It shouldn't even be possible to find a company in 2020 that compromises protected health information (PHI) by not securing data with a password. Unfortunately, however, it still happens. By utilizing a HITRUST CSF certified product like Paubox Email Suite, you can start securing valuable user PHI today.