FORT MYERS, Fla. – A fifth class-action lawsuit filed against 21st Century Oncology on Wednesday accuses the cancer giant of storing patient information in a “free … notoriously vulnerable web-based” content management system called Joomla.
Sanibel lawyer Chuck Phoenix said he believes that patients’ private, personal and medical data are getting mixed with data shared on Joomla by other companies. Because Joomla is “widely known to have a serious flaw that allowed hackers to gain administrative access,” Phoenix said hackers could access information from people who were never patients at 21st Century Oncology.
“Theoretically they could also uncover data that belongs to other organizations. Their personal medical records, their personal medical information is now floating about on the internet and is still, at this moment, unprotected and subject to future breaches,” Phoenix said.
Phoenix’s theory answers a popular question: How did they get my information?
Patient information is still at risk after the October breach, Phoenix said. He advises affected patients to get the credit monitoring services that 21st Century Oncology has offered.
His advice comes as one man fears his information was illegally obtained from the breach.
Thomas Sapington said he received a letter from the Internal Revenue Service and believes someone tried to file tax returns under his name using stolen information. The IRS letter arrived two weeks after he and his wife received a letter from 21st Century Oncology.
“I really didn’t think much of it until I did get the letter from them and it said yes, their system had been compromised,” Sapington said.
Sapington was a 21st Century Oncology patient. His wife was not.
Joomla has contested claims that is is a cloud service. It provided this statement, that reads in part:
“Joomla! is an open source, freely available Content Management System (CMS), a type of robust software used to help organizations develop web sites and make content available to users and customers. In fact, Joomla! is one of the most popular CMS’s in use today, powering hundreds of thousands of web sites around the world.
“Through our web site, we provide detailed and timely information regarding vulnerabilities in our software, how to mitigate them where feasible, and when fixes become available. Moreover, we strive to make the patching and update process for Joomla! as simple as possible and clearly indicate when previous versions are no longer supported. Nevertheless, users of our software must be responsible for its use and keeping it up-to-date. And to re-iterate, even in such cases where a vulnerability may be present in our software, it is the responsibility of the organizations storing sensitive data to protect it, not Joomla! as we don’t have access to it.
“Finally, everyone at Joomla! is keenly aware of the many sensitivities regarding the privacy of healthcare records and other personally identifiable information. We take our responsibility to produce and maintain our software in the securest way possible very seriously. While we appreciate the concerns of your viewers, I trust you will take the opportunity to clarify Joomla!’s role in this unfortunate incident.”