Fri. Jun 5th, 2020

A Huge Trove of Medical Records and Prescriptions Found Exposed

Flat line design website banner of document search. Modern vector illustration for web design, marketing and print material.

A health tech company was leaking thousands of doctors notes, prescriptions, and medical records daily after a security lapse left a server without a password.

 

Meditab, a California-based software company, describes itself “as one of the leading electronic medical records software makers for hospitals, doctor’s offices, and pharmacies.” The company, among other things, processes electronic faxes for healthcare providers.

 

But that fax server wasn’t properly secured, according to the security company that discovered the data.

 

Spidersilk, a Dubai-based cybersecurity firm, said the exposed fax was running on an open-source database with over six million records since March 2018. And because the server had no password, anyone could read the transmitted faxes in real-time.

 

The faxes contained personally identifiable information, including. Medical records, doctor’s notes, prescription amounts, and quantities, as well as illness information, such as blood test results. The faxes also included names, addresses, dates of birth, and in some cases Social Security numbers and health insurance information and payment.

 

The faxes also included personal data and health information on children. None of the data was encrypted.

 

Spidersilk reached out to Mediatab and MedPharm Services, a Puerto Rico-based affiliate to Meditab, about the security lapse. However, they were referred to Angel Marrero, the company’s general counsel.

 

“We are still reviewing our logs and records to access the scope of any potential exposure,” said Marrero in an email.

 

When asked if they planned to inform regulators and customers, Marrero said the company “will comply with any and all required notifications under current federal and state laws and regulations, as applicable.”

 

It’s not immediately known if anyone else discovered the exposed server, or how long the data was exposed.