EDISON, N.J. (CBSNewYork) — Records from the New Jersey medical billing company M.D. Manage have been the subject of a huge data breach, with sensitive information from hundreds of local residents posted on the Internet for everyone to see.
Social Security numbers and tax information were all out in the open – and as of Thursday night, most victims hadn’t even been notified yet.
In a CBS 2 exclusive, Tony Aiello confronted the business in an effort to get answers.
The chief executive officer of M.D. Manage hid in his office rather than face CBS 2’s camera to explain the data breach.
Johnbosco Johnson of East Orange, New Jersey was among those whose data were exposed.
“That whole number is my Social Security number, my date of birth, my address,” Johnson. “That’s terrible; it’s crazy. Wow.”
CBS 2 discovered the online data breach while researching an unrelated story. M.D. Manage, a medical billing company based in Edison, failed to secure confidential information online.
CBS 2’s Aiello pointed out that the data were “completely unprotected and available to anyone on the Internet.”
CBS 2 found tax documents from doctors, a confidential psychological history of an Essex County woman, and hundreds of patient’ names, addresses, Social Security numbers, and dates of birth.
The information was all anyone would need to seal someone’s identification, or a credit card in his or her name.
Aiello had to yell through a window asking how many people’s information was compromised. But finally, M.D. Manage chief executive officer Kumar Reddy gave him a call.
“It should not have happened and will never happen in the future again,” Reddy said.
Reddy admitted that his company only learned about the data breach when one of the victims called to ask why sensitive information was posted online.
“One of the patients called us, that’s exactly how we came to know,” he said.
Victim Johnson said he was “astonished” and “surprised.”
The company offered Johnson and hundreds of other victims 16 months of free credit monitoring.
They have also offered to destroy copies of the records that should not have been made available in the first place.
“Every step will be taken to make sure people are protected,” Reddy said.
But M.D. Manage skipped one step. CBS 2 checked with New Jersey State Police — the company has not reported the data breach as required by law.
Experts said you should search for your own name on the Internet regularly to keep tabs on what information is available about you online.
An identity monitoring service can also help protect you against data breaches.
You May Also Be Interested In These Stories: