Potentially Massive Breach of PHI Due to Unprotected Fax Server

Meditab Software Inc., a medical software provider based in Sacramento, CA, and MedPharm Services, its affiliate based in San Juan, PR, had an enormous breach of protected health information (PHI).

Meditab provides hospitals, doctor’s clinics, and pharmacies with electronic medical record (EMR) and practice management software. The company website claims that it has over 2,200 healthcare clients using the software.

Meditab is also providing its clients fax processing services. It was discovered that a server used for fax processing was leaking information. Access to the information was open online with no authentication required.

Cybersecurity company SpiderSilk based in Dubai discovered the unprotected fax server. A subdomain of MedPharm Services hosted the fax server, which contains an Elastisearch database created in March 2018. This server contains over 6 million records of fax communications, which are accessible in real time. The number of records that contain PHI is presently uncertain.

A recent TechCrunch report stated that a review of the fax communications in the database confirmed the inclusion of highly sensitive information like names, addresses, birthdates, insurance details, payment data, Social Security numbers, physician’s notes, prescription information, diagnoses, laboratory test results, and healthcare histories. No data was encrypted.

TechCrunch contacted Kalpesh Patel, the founder of Meditab Software and MedPharm Services, about the breach. After discovering the breach, the provider took down the fax server, and started an investigation to find out what caused the breach.

A review of database logs are presently being conducted to ascertain the extent of the breach, the patients affected, and if unauthorized persons accessed the database or downloaded information.

It is not yet known how long the server was left accessible nor the number of patients affected by the breach. Taking into consideration the volume of records in the database, it’s possible that this breach will be one of the biggest healthcare data breaches in the U.S. Additional information will be announced when available.