A US-based medical software provider called – Meditab Software Inc. and it’s, Public relations-based affiliate, MedPharm Services – have suffered a massive data breach that exposed protected health information.
Meditab Software and MedPharm Services were both founded by Kalpesh Patel. After being alerted to the breach, the fax server was taken offline, and an investigation was launched to identify the cause of the breach.
The company generally provides electronic medical record (EMR) and practice management software to hospitals, physician’s offices, and pharmacies. According to the company website, its software is used by more than 2,200 healthcare clients. They also provide fax processing services and one of the servers used for processing faxes has been discovered to be leaking data that could be accessed over the internet without the need for any authentication.
The exposed facsimile server was uncovered by the Dubai-based cybersecurity firm SpiderSilk.
The fax server was hosted on a subdomain of MedPharm Services and is situated in an Elastisearch database containing fax communications. Those faxes could be accessed in real time.
The database was created in March of 2018 and is home to more than 6 million records. It is currently unclear how many of those records contained protected health information.
According to a recent report by security researchers, a brief review of the faxes in the database revealed they contained highly sensitive information such as names, addresses, dates of birth, insurance information, payment information, Social Security numbers, doctor’s notes, prescription details, diagnoses, lab test results, and medical histories. None of the information was encrypted.
Database records are currently being assessed and investigated to be able determine the extent of the breach, which patients have been affected, and whether the database was accessed by a number of unauthorized individuals or downloaded by malicious hackers who might find it profitable.
It is unclear for how long the server was left exposed and the true number patients that have been affected by the breach. Considering the volume of records in the database, this breach has the potential to be one of the largest ever healthcare data breaches in the United States.