Dentist Posts 2,569 Patient SSNs on Wireless Hot Spot
FOR IMMEDIATE RELEASE: April 9, 2008 UPDATED: November 10, 2009Media Contact: Aaron Titus
(202) 669-2969
OXON HILL, Maryland. In early March, 2008, Dr. Michell Burdine-Merai's office exposed private information about 9,911 patients, former patients, and their families to the public through an unsecured public wireless network, or "Hot Spot." Of those, the wireless network exposed roughly 2,569 social security numbers. The information also included appointments, dental treatments, and phone numbers. We notified Dr. Merai's office that they should cease broadcasting this information to the public, hire a professional to fix network vulnerabilities, and notify their patients that their information had been exposed to the public.
The following are a few key facts surrounding the breach:
- Dr. Merai's office provided an open, unencrypted wireless network, or "Hot Spot," to any member of the public within 150 feet of the office, including public areas such as the lobby, hallways, and one floor above and below. The wireless network did not require a password, and was not secured.
- Dr. Merai's office attached certain internal business computers to its public wireless network, which contained sensitive client information. Those computers were not password-protected.
- Dr. Merai's office further affirmatively placed private patient information in shared folders, which were open to the public simply by double-clicking. The shared folders were not password-protected, and the patient information was not encrypted.
- All of the sensitive patient information was available to any member of the public with a laptop who came within 150 feet of the office on the third, fourth and fifth floors, was accessible using only a mouse, and required no passwords.
In subsequent phone conversations with Dr. Peter Merai, Dr. Michell Burdine-Merai's husband, he flatly refused to notify patients that Dr. Michell Burdine-Merai's office has exposed their personal information. The Liberty Coalition has filed a complaint with the Maryland Dental Association.
UPDATE: November 10, 2009: On November 10, 2009 Dr. Peter Merai sent the following e-mail to the Liberty Coalition:
Michelle Merai, D.D.S and Comprehensive Dental Care, Inc (Peter Merai, D.D.S.) are TWO SEPARATE BUSINESS ENTITIES.The Liberty Coalition appologizes for the mistake. Within 10 minutes this press release was updated to reflect the fact that the husband and wife do not share the same office. All other facts remain unchanged.
I do NOT share Michelle Merai's dental office with her. You should have verified your information BEFORE posting slander about me on the internet.
Please immediately remove my name from the article you posted on the internet.
I need to see a result within 24 hrs or I will refer this case to my attorney.
Dr Peter Merai.
Individuals affected by this exposure should immediately visit www.nationalidwatch.org and search for their names, to confirm what types of personal information were exposed. NationalIDWatch.org has a list of recommended steps victims should take.
About NationalIDWatch.org
National ID Watch is a search engine for personal information breaches. Sponsored by the Washington, DC non-profit Liberty Coalition, NationalIDWatch.org provides more than a million free personalized Identity Exposure Reports™ as a public service.
Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.