Data Has Escaped

A few days ago I received an interesting email, it was from the New Mexico Medical Center welcoming me to the Patient Portal.  I was a little confused as I don’t live in New Mexico, have never been to New Mexico and, to the best of my knowledge, have no know relatives in New Mexico.  A little curious I opened up the first email and started reading:


We are pleased to inform you that online access to your electronic health record is now available through New Mexico Medical`s Patient Portal. The Patient Portal is a secure website that allows you to communicate with your health care provider and to view parts of your electronic health record.  This tool will help you better manage your care and enhance your partnership with your health care team.

OK, so obviously someone put in the wrong email address (mine) instead of theirs and I got sent the welcoming email.  I was happy that they didn’t actually provide any confidential information in the email as that would have been … awkward.  The part I liked was :

For security reasons, the activation code will be sent to you separately.

So the New Mexico Medical Center was going to send me an activation code that I would need to activate my account.  Cool, so they will send it to the correct mailing address and I don’t have to worry about it.  I pop out of this email and … oh, oh.  Sitting in my inbox is the Patient Portal Activation Code.  Well, this sucks.  Daniel Jessop created a userID with the name of “djessop1”.  (Wait, there is another djessop other than Daniel in New Mexico?)  I now have the link to activate his account and the activation code necessary.

What do I do?  I can now active Daniel Jessop’s account with his health care provider and pull out all of the information about him.

Well, I’m a sucker.  I thought that I would be nice.  The note says that if there are any problems with setting things up to give them a call.  So I proceeded to do that.  Multiple times, across multiple days.  In fact, I checked time zones to make sure that I was calling at the correct time.  No one answered the helpline.  I didn’t even get a recorded message saying that they were busy.  I didn’t get voice mail.  I got diddly.

So there are some interesting lessons to be learned here:

  1. If you are setting up an account for someone, make sure that they can actually access the email account that they enter.  They may have made a mistake and you need to take that into account.  Something like time limiting the activation to xx minutes, but you need to do something.
  2. There is no use at all of sending a welcoming email and an email with an activation code.  Either put them into one email or send the activation code via another method, but two emails to the same account?  Completely amateur.
  3. If you have a help number for people to call, you darn well better staff it or at least let the phone go to voicemail.  No response is not adequate, particularly since you are dealing with someones electronic health record.
  4. Clean up your website.  (OK, I dissected the link a bit.)  If I go to the root of the activation link I get the default IIS web page.  I now know which operating system and version of IIS they are using.  I know that it is an ASPX page hosted by a third party and that third party has not kept up with security patches.  If you are going to host patient data you better harden your website.

In essence, if you are ever in New Mexico, avoid the Eastern New Mexico Medical Center as your data could end up in Canada.

Leave a Reply