A wrong configuration of an internal website portal used by a Florida county drug screening laboratory exposed sensitive data on the internet for over four years.
St. Lucie County’s drug screening lab (SLC Lab) offers drug testing services for work, court cases, and other requirements. The configuration mistake was uncovered on October 13, 2021, and the problem was promptly resolved.
With the help of third-party cybersecurity experts, it was confirmed on December 28, 2021 that the configuration mistake happened on June 2, 2017. Between June 2, 2017 and October 13, 2021, certain portal users had access to sensitive information, such as full names, birth dates, Social Security numbers, and some data associated with the type of drug test conducted and the data result of the laboratory test.
Although sensitive information was compromised through the website for 4 years, SLC Lab stated it did not receive any notification about any instances of improper use of exposed data and is not aware of any scenarios of identity theft or fraud resulting from the website misconfiguration.
SLC Lab didn’t reveal in its breach notifications the number of persons affected by the incident, however, the breach notice sent to the Maine Attorney General states the sensitive data of 14,528 people was compromised. Notification letters were sent to the affected persons on January 20, 2022. Free credit and identity theft monitoring services were likewise given to the affected persons.
SLC Lab explained it is dedicated to preserving the privacy of personal data and has undertaken several precautions to make certain sensitive data is protected and will always assess and alter its procedures and internal settings to enhance the security and privacy of personal data.
Although the exposed information contained data categorized as protected health information (PHI) if kept by a HIPAA-covered entity, this incident is not considered as a HIPAA breach because SLC Lab isn’t a HIPAA-covered entity with regard to the exposed information.