Nebraska's Sidney Regional Medical Center recently began notifying an undisclosed number of employees and job applicants that their personal information was made available online by mistake (h/t DataBreaches.net).
"On December 12, 2013, we learned that certain data on the previous version of the Sidney Regional Medical Center Web site was stored on a server that was accessible under certain conditions via the Internet," Sidney Regional Medical Center compliance officer Linda Shoemaker wrote in the notification letter [PDF]. "After receiving this notification we immediately blocked all access to the Web site and, in less than 24 hours, confirmed that all files were removed from the server."
Following an investigation that was completed on January 16, 2014, the hospital determined that one person had accessed her own information through a Web search on December 11, 2013, but wasn't able to determine whether any other unauthorized access to information took place.
"Through our investigation we determined that Employment Authorization forms were stored on a server that was password protected against human access, but was not protected against Web crawlers and Web robots (such as those used by Google and other Web search engines)," Shoemaker explained.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The forms in question contained names, addresses, driver's license numbers and Social Security numbers.
All those affected are being advised to monitor their credit reports for suspicious activity, and have been offered one free year of identity protection services from AllClear ID.