Meditab Software Inc., Sacramento, CA-based medical software provider and it’s San Juan, PR-based affiliate, MedPharm Services have been subject of a huge breach of protected health information.
A fax processing service is also provided by Meditab and one of the servers used for processing faxes has been discovered to be leaking data. As a result, it could be accessed over the internet without the need for any authentication.
The unprotected fax server was discovered by SpiderSilk, a Dubai-based cybersecurity firm. The fax server was hosted on a subdomain of MedPharm Services. Furthermore, it housed an Elastisearch database containing fax communications. Those faxes could be accessed by anyone in real time. The database was formed in March 2018 and was home to over 6 million records. Currently, it is uncertain how many of those records contained protected health information.
A recent report on TechCrunch stated that a brief review of the faxes in the database showed they contained highly sensitive information such as names, addresses, dates of birth, Social Security numbers, payment information, insurance information, doctor’s notes, prescription details, diagnoses, lab test results, and medical histories. None of the above information was encrypted.
Meditab Software and MedPharm Services were both founded by Kalpesh Patel, who TechCrunch contacted in relation to the breach. The fax server was taken offline after the companies were alerted about the breach and an investigation was immediately launched to identify the cause of the breach.
In order to determine the extent of the breach, database logs are currently being assessed, which patients have been affected, and whether the database was accessed or downloaded by unauthorized individuals.
Currently, it is unclear just how long the server was left unprotected and how many patients have been affected by the breach. When the number of records in the database are considered, this breach has potential to be among the largest healthcare data breaches in history in the United States.