Lake Mary, Fla.-based MedWatch, a care management company that offers risk management solutions to self-funded health plans, began notifying their clients' health plan members April 13 that a vendor misconfiguration error exposed their protected health information between October 2017 and December 2017.
MedWatch said during a routine update, the vendor, which it did not name, inadvertently misconfigured the online portal to allow some internet search engines to potentially make certain information available. Immediately after learning about the incident, MedWatch secured the portal, requested the search engines delete all cached data and launched an investigation.
Potentially compromised information includes members' full names, dates of service, employer group health plan names, dates of birth, health insurance numbers and providers' full names. Some members' Social Security numbers may have been involved. MedWatch is not aware of any misuse of members' information.
"We take this matter very seriously and sincerely apologize that this situation has occurred," reads a notice on the organization's website. "We have taken steps to enhance our security program, controls, and procedures as a result of this incident. We also have re-educated our staff and vendor on the proper handling of personal and protected health information."
More articles on cybersecurity:
Former Berkeley Medical Center employee owes $22k after stealing patient data
US, UK issue joint alert on alleged Russian state-sponsored cyberattacks
63% of organizations that have suffered a data breach implement biometric authentication: 5 things to know