MedEvolve Notifies Patients of PHI Exposure Through Unsecured FTP Server

MedEvolve, a provider of electronic billing and record services to healthcare providers, has announced that an FTP server used by the firm had been left unsecured between March 29, 2018 and May 4, 2018.

The FTP server contained a file that included the protected health information of patients. On March 29, the day that the protection was removed, the file was accessed by an unauthorized individual. MedEvolve discovered the breach on May 11, 2018.

According to the breach notice submitted to the California Attorney General, the file contained the data of patients of Premier Immediate Medical Care.

MedEvolve did not mention in the breach notice how many patients had been affected and the incident has yet to appear of the Department of Health and Human Services’ Breach Portal. However, in May, was alerted to the exposure of data by a security researcher who discovered the unprotected FTP server. According to the report, the file contained approximately 205,000 lines of patient data, each corresponding to a different patient. More than 11,000 Social Security number were included in the data.

Patient information from a second client, Beverly, L. Held, M.D, a corpus Christi dermatologist, was also present on the server in three separate .dat files according to the report. Those files allegedly included an estimated 12,000 Social Security numbers. No mention of this client was made in the MedEvolve breach notice.

MedEvolve explained in its breach notice that names, billing addresses, telephone numbers, health insurer names, health insurance numbers, and Social Security numbers were present in the file. No financial data, treatment information or health data were exposed.

MedEvolve said that upon discovery of the breach, the FTP server was secured to prevent any further unauthorized access and a third-party forensic investigator was hired to conduct a full investigation. The investigation into the breach is ongoing and further security controls are being implemented to enhance the privacy and security of its information systems.

Due to the sensitive nature of the data that were exposed, MedEvolve is offering affected patients 24 months of complimentary credit monitoring services through myTrueIdentity, which includes up to $1,000,000 of identity theft insurance.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.