Microsoft Power Apps vulnerability leaks COVID-19 vaccination records in Texas county

Featured image

Share this article

Denton County logo

A Microsoft Power Apps vulnerability recently leaked COVID-19 vaccination records in Denton County, Texas. What’s more, this vulnerability exposed a total of 38 million records containing personally identifiable information (PII) and protected health information (PHI).

Denton County represents just a small portion of the data breach.

As a business associate to covered entities like Denton County, Microsoft (and all third-party vendors) must do its due diligence to safeguard PHI under the U.S. legislation HIPAA.

And for healthcare providers, this means utilizing strong cybersecurity while ensuring their business associates are doing the same.

What happened?

UpGuard, an independent cybersecurity firm, discovered the Microsoft Power Apps vulnerability on May 24. Microsoft Power Apps is a cloud-hosted suite of services that allows organizations to create business intelligence applications.

After apprising Microsoft of the situation, UpGuard then notified the 47 impacted organizations.

Denton County was informed July 2 and secured its data by July 7. The IT department also shut down access through the third-party app. PII/PHI exposed includes vaccine information, names, birth dates, email addresses, and phone numbers.

Originally reporting indicated that millions of records were compromised, but the subsequent investigation discovered several files were duplicates. According to the U.S. Health and Human Services (HHS) Breach Portal, the vulnerability affected 326,417 Denton County individuals.

Denton County notified everyone affected of the cybersecurity incident and is now exploring additional cybersecurity measures. While the county did not collect Social Security numbers, driver’s license numbers, or financial account information, officials told affected individuals to monitor their credit.

Microsoft as a business associate

Generally, the HIPAA Privacy Rule allows covered entities to disclose PHI to business associates if they receive assurance that the information is protected through a signed business associate agreement (BAA).

A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI. The BAA is a key component to HIPAA compliance between a covered entity and a business associate.

Microsoft’s HIPAA web page indicates that Microsoft will sign a BAA for some, but not all, of its products.

For example, while Microsoft 365, Microsoft Teams, and Microsoft Azure can be HIPAA compliant, Microsoft Ads is not.

RELATED: Is Microsoft Exchange HIPAA compliant?

And according to the HIPAA Azure web page, Microsoft Power Apps is covered by its BAA and therefore can be HIPAA compliant.

The Microsoft Power Apps vulnerability

The Microsoft cloud platform is complex and leaves configuration up to customers. And this configuration issue is the reason for the recent problems.

The Microsoft Power Apps vulnerability arose because organizations must enable table permissions on their own. This way, data that needs to be public, like COVID-19 vaccine registration pages, can be visible. And information that needs to remain private, such as PHI, can.

But if the correct configurations aren’t set, anyone can gain access to private data.

After UpGuard alerted Microsoft, its Security Response Center responded by closing the case and stating that the breach was “considered to be by design.”

UpGuard then notified the impacted organizations, including American Airlines, J.B. Hunt, and Ford. Government agencies informed include the Maryland Department of Health, the state of Indiana, and New York City Municipal Transportation Authority and Schools.

Microsoft became concerned and made changes only when UpGuard exposed the more severe cases. As a result, Microsoft enabled table permissions by default to avoid further confusion and improper disclosure.

Moreover, Microsoft now provides its customers with a self-diagnosis tool to help detect potential data privacy issues.

Extra cybersecurity layers are vital

Even though Microsoft signs a BAA and utilizes its own cybersecurity measures, the company has seen many cyber vulnerabilities and breaches (e.g., Microsoft Exchange this year).

And third-party vendor errors hurt healthcare providers (as well as their patients) who have to report and investigate breaches and possibly be subject to HIPAA violations.

RELATED: What to do after you violate HIPAA

These reasons are why healthcare providers must make sure that business associates are HIPAA compliant through a signed BAA. Moreover, they must protect themselves and their patients with a layered cybersecurity program that includes:

And most important, healthcare providers must use strong email security (i.e., HIPAA compliant email).

Paubox Email Suite Plus—needed strong email security

Paubox Email Suite Plus protects email from inbound and outbound threats. All outbound emails are encrypted directly from an existing email platform (e.g., Microsoft 365 and Google Workspace), requiring no change in email behavior.

And a new feature of our solution, Zero Trust Email, reviews incoming emails for potential threats, quarantining anything that raises a red flag. This feature, along with patented ExecProtect, which stops domain name spoofing, keeps all possible back doors into a system shut.

Furthermore, our solution is HITRUST CSF certified, which adds an extra layer of security. The HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.

What this Microsoft incident demonstrates is the importance of using checks and balances when utilizing any third-party vendor who handles PHI. The only way to protect yourself and your patients’ PHI is by employing your own layered protections on top of what any business associate might do.

Try Paubox Email Suite Plus for FREE today.
Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022