Meditab Software Breach Impacts Capitol Cardiology Associates (CCA) and Southern Maryland Medical Group (SMMG) Patients

by

A potential breach at Meditab Software Inc. affects two healthcare companies in Maryland. Meditab is a business associate of the two companies providing EMR and practice management software. As such, its systems include patient protected health information (PHI). Meditab discovered in March 2019 that some PHI were left unsecured.

Meditab had developed a website to access statistics meant for its Fax Cloud services. All faxes have statistics to maintain, but the fax server does not store images. When transmitting faxes, there’s a temporarily available hyperlink to the fax image stored on a separate and secure server until the receipt of the fax is confirmed. Then the link is deleted.

To access the portal, usernames and passwords are used. However, a Meditab programmer disabled this authentication feature without authorization in January. During the time that authentication was disabled, some faxes that contain medical data were accessible from January 9 to March 14, 2019. Several faxes stayed in the failed queue and may have been viewed until the correction of the problem. Meditab explained that less than 5% of the faxes were exposed. A security firm discovered the unprotected portal; there’s no proof that suggest other people discovered the portal or viewed faxes.

The following information may have been exposed: names, addresses, telephone numbers, birth dates, and medical data and consultation notes, including diagnoses and treatment data.

The company recently advised Capitol Cardiology Associates (CCA) and Southern Maryland Medical Group (SMMG) about the exposure of some of their patients’ PHI.

Meditab claimed the search engines do not crawl the analytics portal, so it shouldn’t be easy to discover the portal. Nonetheless, if an unauthorized person found the portal, fax messages could have been opened individually with option to download or print the faxes. Meditab is convinced there is a low risk of harm to patients.

The breach reports sent to the HHS’ Office for Civil Rights indicate that 1,400 SMMG and 1,980 CCA patients were affected. There is no other report as of this time regarding other healthcare providers affected by the breach.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]