[ad_1]
A health tech The company published thousands of doctor's notes, medical records and prescriptions daily after a security breach left a server without a pbadword.
Meditab, a small software company based in California, is one of the leading manufacturers of electronic medical record software for hospitals, doctors' offices and pharmacies. The company, among other things, processes electronic faxes for healthcare providers, which remains an essential method for sharing patient records with other providers and pharmacies.
But this fax server was not properly secured, according to the security company that discovered the data.
SpiderSilk, a Dubai-based cybersecurity company, has given TechCrunch the exposed server. The exposed fax server was running an Elasticsearch database with over six million records since its inception in March 2018.
The server did not have a pbadword, so anyone could read the faxes transmitted in real time, including their content.
According to a brief review of the data, the faxes contained a wealth of personally identifiable information and health information, including medical records, doctor's notes, prescribed amounts and prescribed quantities, as well as information about the illness. , such as blood test results. Faxes also included names, addresses, dates of birth and, in some cases, social security numbers, health insurance information and payment data.
The faxes also included personal data and information on children's health. None of the data has been encrypted.
Two disclosed documents found on the fax server, redacted. (Image: TechCrunch)
The server was hosted on a subdomain of MedPharm Services, a Meditab subsidiary based in Puerto Rico, both founded by Kalpesh Patel. MedPharm was established as a separate company in San Juan to take advantage of the tax benefits granted to companies that have opened a business on the island.
TechCrunch checked the records by contacting several patients who confirmed their contact details from faxes.
Patel said his company "was looking into the issue to identify the problem and its solution," but then returned comments to the company's general counsel, Angel Marrero.
"We always look at our newspapers and records to see the scope of any potential exposure," Marrero said in an email.
We asked if the company was planning to inform regulators and customers. Marrero stated that the company "will comply with all notices required under applicable federal and state laws and regulations, as the case may be."
It is not immediately known if anyone else has discovered the server exposed or for how long the data has been exposed.
Meditab and MedPharm both claim to comply with the HIPAA Act, the Portability and Accountability Act, which governs how health care providers properly manage patient data security.
Companies that Disclose Data or Violate the Law Can Face Heavy Fines
Last year was marked by "record" fines – some $ 25 million for several exposures and offenses, including $ 4.3 million at the University of Texas for inadvertent disclosure of encrypted personal health data, and a settlement of $ 3.5 million by Fresenius after five separate offenses.
A spokesman for the US Department of Health and Human Services did not comment.
Source link
