EDISON, N.J. (CBSNewYork) — The New Jersey Division of Consumer Affairs has responded to a CBS 2 exclusive, opening a review after the discovery that medical billing company M.D. Manage left sensitive information out in the open.

As CBS 2’s Tony Aiello reported, the chief executive officer of M.D. Manage hid in his office rather than facing CBS 2’s camera to explain the data breach that exposed sensitive information.

CBS 2 discovered the online data breach while researching an unrelated story. M.D. Manage, of Edison, New Jersey, failed to secure confidential information online.

CBS 2’s Aiello pointed out that the data were “completely unprotected and available to anyone on the Internet.”

CBS 2 found tax documents from doctors, a confidential psychological history of an Essex County woman, and hundreds of patient’ names, addresses, Social Security numbers, and dates of birth.

Johnbosco Johnson of East Orange, New Jersey was among those whose data were exposed.

“That whole number is my Social Security number, my date of birth, my address,” Johnson. “That’s terrible; it’s crazy. Wow.”

The information was all anyone would need to seal someone’s identification, or a credit card in his or her name.

Aiello had to yell through a window asking how many people’s information was compromised. But finally, M.D. Manage chief executive officer Kumar Reddy gave him a call.

“It should not have happened and will never happen in the future again,” Reddy said.

Reddy admitted that his company only learned about the data breach when one of the victims called to ask why sensitive information was posted online.

“One of the patients called us, that’s exactly how we came to know,” he said.

he company offered Johnson and hundreds of other victims 16 months of free credit monitoring.

They have also offered to destroy copies of the records that should not have been made available in the first place.

“Every step will be taken to make sure people are protected,” Reddy said.

But M.D. Manage skipped one step. CBS 2 checked with New Jersey State Police — the company has not reported the data breach as required by law.

The Division of Consumer Affairs enforces the law requiring the data breaches be reported to New Jersey State Police. The division opened the review after seeing CBS 2’s story Thursday night.

M.D. Manage did tell the state Division of Insurance about the problem. Also, in a letter being sent to victims, the company said it forfeited operational protections and hired a data security agency to review operations.

You May Also Be Interested In These Stories:

Watch & Listen LIVE