Potentially Massive Breach of Protected Health Information Discovered

Sacramento, CA-based medical software provider Meditab Software Inc., and it’s San Juan, PR-based affiliate, MedPharm Services have suffered a massive breach of protected health information.

Meditab provides electronic medical record (EMR) and practice management software to hospitals, physician’s offices, and pharmacies. According to the company website, its software is used by more than 2,200 healthcare clients.

Meditab also provides a fax processing service and one of the servers used for processing faxes has been discovered to be leaking data and could be accessed over the internet without the need for any authentication.

The unprotected fax server was discovered by the Dubai-based cybersecurity firm SpiderSilk. The fax server was hosted on a subdomain of MedPharm Services and housed an Elastisearch database containing fax communications. Those faxes could be accessed in real time. The database was created in March 2018 and housed more than 6 million records. It is currently unclear how many of those records contained protected health information.

According to a recent report on TechCrunch, a brief review of the faxes in the database revealed they contained highly sensitive information such as names, addresses, dates of birth, insurance information, payment information, Social Security numbers, doctor’s notes, prescription details, diagnoses, lab test results, and medical histories. None of the information was encrypted.

Meditab Software and MedPharm Services were both founded by Kalpesh Patel, who TechCrunch contacted about the breach. After being alerted to the breach, the fax server was taken offline, and an investigation was launched to identify the cause of the breach.

Database logs are currently being assessed to determine the extent of the breach, which patients have been affected, and whether the database was accessed by unauthorized individuals or downloaded.

It is unclear for how long the server was left unprotected and how many patients have been affected by the breach. Considering the number of records in the database, this breach has potential to be one of the largest ever healthcare data breaches in the United States.

Further information will be posted as and when it becomes available.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.