Doctor’s notes, prescriptions, and blood test results are only a few of the types of medical information that Meditab leaked. The California-based company provides software in the healthcare industry. Their goal is to help medical practices and pharmacies organize their business operations. In addition to their software, they also process electronic faxes for healthcare providers. It was this insecure service that left personally identifiable information (PII) up for grabs.
Discovering the Exposed Server
The primary way that healthcare providers share patient files with pharmacies and other medical professionals is through electronic faxes. These faxes are sent to an email inbox instead of a fax machine. Most of these faxes are encrypted using a reliable system. In Meditab’s case, there was no encryption whatsoever.
The cybersecurity company, SpiderSilk, found that the fax server had no password. Without a password, anyone could read the incoming faxes. The server was running using an Elasticsearch database. This database stores, retrieves, and manages documents and indexes the information to make it easily searchable.
Aside from medical data, the faxes contained names, addresses, social security numbers, and in some cases health insurance information. The database contained 6 million records since March 2018.
Consequences for the Company
The fax server that healthcare groups were using was hosted on a smaller domain under MedPharm Services. It is an affiliate of Meditab and became its own company in Puerto Rico. The founder and general counsel of the company claimed that they were looking into the issue to judge the scope of the potential exposure. There was no clear statement about how long the data had been exposed on the server or if anyone else had discovered the flaw.
General Counsel at Meditab and MedPharm Services, Angel Marrero said that the fax server was taken down immediately after they were notified of the flaw. He added that the company would be taking precautions such as:
- Conducting a security check of all services
- Having additional penetration testing as a part of the server development
- Implement a bug bounty program to report flaws directly
Ideal Solutions for Transferring Health Records
According to healthit.gov, most healthcare providers send patient’s health information through Health Information Service Providers. These providers encrypt the information as it is sent to the other practice. Once it is delivered, the receiving HISP will decrypt the information. While encryption is the best chance for security, smaller healthcare practices still send and receive faxes.
SecureData’s line of SecureDrives are the only hardware-encrypted storage solution on the market. It can keep patient information completely secure in transit. The only way to access the files is with a unique PIN or the DataLock App on your mobile device.
SecureData Can Help
In addition to our SecureDrives, our data recovery specialists have decades of experience recovering files and emails. For medical records that are faxed directly to an email, they are susceptible to corruption and viruses
.png){kind=small}
