Full Report
In May 2024, DataBreaches logged an incident on our worksheets that involved the Columbia University Irving Medical Center in New York. The incident had been reported to HHS as affecting 29,629 patients whose name, medical record number, date of birth, provider name, and laboratory test result had been exposed between Sept. 11, 2023, and March... Source
Analysis Summary
# Incident Report: Columbia University Medical Center PHI Exposure via Human Error
## Executive Summary
Columbia University Irving Medical Center (CUIMC) experienced a significant data exposure event where Protected Health Information (PHI) belonging to nearly 30,000 patients was posted publicly on the internet due to human error. The organization responded by notifying affected parties and implementing staff retraining. This incident ultimately resulted in a class-action lawsuit, which settled for $600,000.
## Incident Details
- Discovery Date: May 2024 (when incident was logged by DataBreaches, actual discovery date unknown)
- Incident Date: Between September 11, 2023, and March 7, 2024
- Affected Organization: Columbia University Irving Medical Center (CUIMC)
- Sector: Healthcare
- Geography: New York, USA
## Timeline of Events
### Initial Access
- Date/Time: Between Sept. 11, 2023, and March 7, 2024
- Vector: Human Error (Employee posting PHI to the Internet)
- Details: An employee posted the protected health information (PHI) of 29,629 individuals online.
### Lateral Movement
- Not applicable. The incident appears to be a direct disclosure rather than a multi-stage network intrusion.
### Data Exfiltration/Impact
- Data exposed included names, medical record numbers, dates of birth, provider names, and laboratory test results for 29,629 patients.
### Detection & Response
- Detection: The incident was logged by DataBreaches in May 2024 and subsequently reported to HHS.
- Response actions taken: CUIMC secured the publicly posted data and provided additional training to staff regarding PHI protection requirements. They also notified HHS, affected individuals, and the media, and posted a substitute notice on its website.
## Attack Methodology
- Initial Access: **Human Error/Inappropriate Data Handling.** (An employee posted data publicly).
- Persistence: N/A
- Privilege Escalation: N/A
- Defense Evasion: N/A
- Credential Access: N/A
- Discovery: N/A
- Lateral Movement: N/A
- Collection: N/A
- Exfiltration: Data was intentionally (though mistakenly) posted to the public internet.
- Impact: Disclosure of sensitive personal and health data leading to regulatory scrutiny and civil litigation.
## Impact Assessment
- Financial: Settled a class-action lawsuit for $600,000 (minus fees/administration). Claimants are eligible for reimbursement of up to $10,000 for documented losses.
- Data Breach: PHI exposed for 29,629 patients, including Name, MRN, DOB, Provider Name, and Lab Test Results.
- Operational: Minimal operational disruption reported, mainly focused on remediation (securing data) and notification requirements.
- Reputational: Negative publicity requiring public notification and leading to a settled lawsuit.
## Indicators of Compromise
* *Note: Since this was an intentional, erroneous external posting, traditional technical IOCs are limited.*
- Behavioral Indicators: Unauthorized public disclosure of records containing PHI fields (Name, MRN, DOB, Lab Results).
## Response Actions
- Containment measures: The covered entity "secured the data" that had been posted on the Internet.
- Eradication steps: N/A (No indication of persistent unauthorized access environment).
- Recovery actions: Notified affected individuals, the media, and posted substitute notice; provided staff additional training.
## Lessons Learned
- Human error remains a primary vector for major data breaches, especially concerning PHI handling.
- Internal processes for highly sensitive data posting (especially to the public internet) must have multi-stage verification controls.
- Failure to adequately secure PHI through procedural or technical means results in significant financial risk via the litigation landscape (as evidenced by the $600K settlement).
## Recommendations
- Implement mandatory, recurring, and audited training specifically addressing the secure handling and transmission of Protected Health Information (PHI).
- Enforce stricter access controls and multi-factor authentication/authorization procedures for any platform used to publish or host sensitive data, ensuring that public-facing servers are technically incapable of hosting such information without manual oversight.
- Review procedures for handling laboratory data and employee-generated sensitive entries to prevent accidental internet exposure.