Thousands of patient records stored by nTreatment, a company that provides electronic health and patient records to doctors and psychiatrists, has been exposed online in the latest case of a company failing to secure its cloud storage.

The data, discovered and publicized today by TechCrunch on a Microsoft Azure server, included 109,000 files, a large portion said to be lab test results from third-party providers such as Laboratory Corp. of America Holdings, better known as LabCorp.

Other files included doctors’ notes, insurance claims, medical records and sensitive data for patients across the U.S. Some of the data exposed included health information protected under the Health Insurance Portability and Accountability Act.

The company was advised of the data breach and the cloud storage being secured on Monday. The company has confirmed the data breach, saying that the server was used as “general purpose storage” and that it would notify affected providers and regulators of the incident. It’s unknown whether the data was accessed by bad actors before it was secured.

The exposure was notable because LabCorp itself does not have a great track record when it comes to cybersecurity. It was struck by ransomware in July 2018, had 7.7 million patient records stolen after it was hacked in June 2016 and then was found to be exposing patient records via an unsecured part of its customer relationship management system in January.

Although LabCorp is not to blame for the nTreatment data exposure, there’s certainly a pattern when it comes to the company securing its data. At the very least, experts say, it should have been checking to make sure that its third-party providers were doing an adequate job of securing their data.

“Unfortunately this is an example of what happens when a company leaves a server and critical information unsecured without any password protection,” Vinay Sridhara, chief technology officer at AI-powered security posture firm Balbix Inc., told SiliconANGLE. “This breach illustrates the challenges of securing increasingly complex digital ecosystems, particularly in sensitive industries like healthcare. We are continuing to see companies compromise sensitive data and suffer costly breaches due to exposed, unsecure databases left open and accessible to anyone online without basic protection such as a password.”

Mark Bagley, vice president of product at security optimization platform provider AttackIQ Inc., noted that the healthcare industry has become a primary target for cybercriminals because personal health information is very profitable on dark web marketplaces.

“Healthcare data usually contains fixed information, such as dates of birth and Social Security numbers, which hackers can use to commit identity theft for years to come,” Bagley explained. “Healthcare organizations that manage large amounts of personal health information must take proactive approaches to protect their data. In addition to the usual control-centric approach, they need to add continuous evaluation of their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses, with a special eye to validation of the third parties they work with.”

Image: nTreatment