BioReference Laboratories, Inc. Data Breach (2014)

We at BioReference Laboratories, Inc., and our subsidiary CareEvolve, Inc., take very seriously our responsibility to protect the privacy and security of our patients personal information, as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other applicable laws. It is therefore important to us that our patients are made aware of any potential privacy issues with their personal information. This notice is being posted as a precautionary measure to inform our patients of a data security incident that may have involved some patient personal information, and to let them know what we doing, and have already are done, to protect the privacy of this information. We believe this security incident occurred because a test server used at CareEvolve was inadvertently configured so that it was accessible to the Internet for a brief period earlier this year. This server included records containing patient names, home addresses, telephone numbers, ages, patient/medical record numbers, dates of collection, clinical test data, dates of birth and, in 196 instances, Social Security Numbers. Although we believe that this server was accessed by the automated computer data mining application that Internet search engines use to accelerate their search capabilities, we have found no evidence that our patients personal information was improperly used or accessed by any individual seeking anothers personal data. We believe the server was first accessed by one of these automated search engine data mining applications on February 2, 2014 and that the breach incident ended on March 19, 2014. No credit card, bank information or other financial information was released to the Internet. Upon learning of the incident on March 19, 2014, we immediately had the server taken offline and all indexed files that we could locate on the Internet were immediately removed. We also undertook an extensive internal investigation, hired an independent security firm to conduct a forensic investigation, reviewed our data security and internal safeguards, retained a company to regularly monitor our servers, and implemented enhanced security measures to minimize the risk of any similar incidents in the future. Although we feel confident that we have taken appropriate steps to contain the risk of unauthorized use, we recommend that the affected individuals remain vigilant to prevent misuse of their personal information by, for example, monitoring credit card and bank statements and reporting any fraudulent activity to financial institutions.