Thousands of physicians’ notes and medical records were left exposed by a fax server error within Meditab, an all-in-one multi-specialty EHR, Practice Management and Billing software solution, TechCrunch first reports. Dubai-based cybersecurity firm SpiderSilk discovered the unsecured exposed fax server was running an Elasticsearch database with over 6 million records since its creation in March 2018. It is unknown if anyone else discovered the exposed fax server or how long the data was exposed.
Exposed Fax Server Error Details
Since the fax server did not have a password, anyone was able to read the transmitted faxes in real-time that contained medical records, doctor’s notes, prescription amounts, and quantities, as well as illness information, such as blood test results. In addition, the faxes contained exposed names, addresses, dates of birth, and in some cases Social Security numbers and health insurance information and payment data. None of the data was encrypted, which also included personal and health information on children.
The compromised fax server was hosted on an subdomain of MedPharm Services, a Puerto Rico-based affiliate of Meditab. TechCrunch reached out to several patients who confirmed their exposed details from the faxes.
TechCrunch reached out to Meditab COO Kalpesh Patel who stated in an email response the company is “looking into the issue to identify the problem and solution.” The company’s general counsel Angel Marrero said, “we are still reviewing our logs and records to access the scope of any potential exposure.” When asked if Meditab plans to inform regulators and customers about the exposed records. Marrero stated the company “will comply with any and all required notifications under current federal and state laws and regulations, as applicable.”