A reporter from the Philadelphia Inquirer discovered that sensitive data of hepatitis patients were accessible online through a Philadelphia Department of Public Health (DPH) website tool without the need for a password. The Inquirer was able to access the data of some 23,000 patients who had contracted Hepatitis C. The vulnerable data included the patient’s name, gender, address, test results and some Social Security numbers.

The Philadelphia DPH responded to the Inquirer and has announced that the sensitive information of patients with hepatitis B and C had indeed been exposed and could be accessed by anyone without authentication. The issue was corrected following the report. The exposed information had been provided through an online portal from providers to DPH to track and monitor patients with hepatitis. It is not known how long the data were accessible, how many patients’ information was exposed and whether that information was accessed by any unauthorized individuals.