Einstein Healthcare Network

The covered entity (CE), Einstein Healthcare Network, reported that between April 11, 2013 and March 21, 2017, its website, Einstein.edu, contained a webpage form where a visitor could “Request an Appointment” that allowed protected health information (PHI) to be left accessible via the internet, including demographic and clinical information. The CE staff used this data to schedule the requested appointment(s) for patients. The CE learned that it was possible to cause the website to display PHI by submitting an unexpected string of characters in the universal resource locator (URL). Google accessed these specially crafted URL’s in order to attempt to add these web pages to the list of pages that can be searched by Google. The CE reviewed the information provided on the forms and determined that it demonstrated a low probability of compromise for most patients. The CE provided breach notification to the remaining 2,034 patients, HHS, and the media. Following the breach, the CE worked with Google to have the information removed from indexing. Subsequently, the CE conducted a system wide risk assessment and penetration test to specifically assess for security vulnerabilities on the website, changed the vendor used for website creation and hosting and built and tested a new "Einstein.edu" website. OCR obtained assurances that the CE implemented the corrective actions listed.
Location of breached information: Other
Business associate present: No