Potential Breach at Meditab Software Impacts 2 Maryland Healthcare Providers

Two healthcare providers in Maryland have been affected by a potential breach at their business associate, Meditab Software Inc.

Meditab provides EMR and practice management software to healthcare providers and its systems contain patient information. In March 2019, Meditab discovered some protected health information (PHI) had been left unprotected.

Meditab had created a portal to view statistics for its Fax Cloud services. Statistics were maintained on all faxes, but no images were stored directly on the fax server. When faxes were transmitted, a link to the fax image on a separate and secure server was temporarily available until the fax was confirmed as having been received. When receipt was confirmed, the link is no longer available.

Usernames and passwords were required to gain access to the portal; however, in January, a Meditab programmer deactivated authentication without authorization. While authentication was disabled, a limited number of faxes containing medical information were discoverable between January 9 and March 14, 2019. A limited number of faxes remained in the failed queue and could have been found up until the problem was discovered and corrected. Meditab said fewer than 5% of the faxes that passed through the system were exposed. The portal was discovered by a security firm; however, no evidence was uncovered to suggest any other individuals had found the portal or accessed faxes.

The exposed information may have included names, addresses, phone numbers, dates of birth, and medical records and treatment notes, which may include diagnoses and treatment information.

The firm recently informed Capitol Cardiology Associates (CCA) and Southern Maryland Medical Group (SMMG) that the PHI of some of their patients had been exposed.

Meditab said at no point could its analytics portal be searched or crawled by search engines, so discovering the portal would not have been easy. However, if the portal was located, an unauthorized individual could have opened the fax messages individually and had the option of downloading or printing those faxes. Meditab believes the risk of harm to patients is low.

According to the breach reports submitted to the HHS’ Office for Civil Rights, 1,980 CCA patients and 1,400 SMMG patients have been affected.

It is currently unclear whether any other healthcare providers have been affected by the breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.