Web Portal of Transcription Service Provider Discovered to be Leaking PHI
A transcription service provider has inadvertently left medical records and patient notes unsecured and freely accessible via a physician portal, which should have been password protected. The error has resulted in the exposure of thousands of patients’ PHI.
MEDantex provides medical transcription services to many hospitals and physicians, many of whom choose to upload audio files to the MEDantex website. The audio files are accessed by the firm’s employees and transcribed, and documents containing the transcribed notes are uploaded to the portal where they can be downloaded by providers. In order to gain access the portal, a user must be authenticated by means of a password.
According to a report on KrebsOnSecurity, certain portions of the website were recently discovered to lack any authentication controls. Anyone visiting the website could, through their browser, gain access to patient data stored on the site. Brian Krebs reports that several of the tools used by MEDantex staff and could also be accessed and used by unauthorized individuals. Those tools allowed unauthorized individuals to add and remove users, search for patients of specific physicians, and find information about patients by name.
Brian Krebs notes that a search of the site revealed the names of 2,300 physicians from across the country. Each provider had a directory which contained audio files and documents of transcribed medical notes, all of which could be freely downloaded.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The exposure of patient health information was reportedly due to a glitch in the portal that is believed to have been incorporated during a rebuild of the portal. MEDantex suffered a ransomware attack that resulted data on its portal being encrypted. The recovery process involved rebuilding the portal, although an error meant password protection was removed.
Brian Krebs notified MEDantex of the error and the portal was immediately taken offline pending a thorough investigation. According to Krebs, a Google cache of the site shows the records were accessible since at least April 10, 2018.
It is currently unclear exactly how many patients’ PHI was exposed, although it is likely to number in the thousands. It is also unknown whether any unauthorized individuals accessed and downloaded PHI during the time that the records were left exposed.
