A huge trove of medical records and prescriptions found exposed

NelsonG · March 17, 2019

A health tech company was leaking thousands of doctor’s notes, medical records, and prescriptions daily after a security lapse left a server without a password.

The little-known software company, California-based Meditab, bills itself as one of the leading electronic medical records software makers for hospitals, doctor’s offices, and pharmacies. The company, among other things, processes electronic faxes for healthcare providers, still a primary method for sharing patient files to other providers and pharmacies.

But that fax server wasn’t properly secured, according to the security company that discovered the data.

SpiderSilk, a Dubai-based cybersecurity firm, told TechCrunch of the exposed server. The exposed fax server was running a Elasticsearch database with over six million records since its creation in March 2018.

Because the server had no password, anyone could read the transmitted faxes in real-time — including their contents.

According to a brief review of the data, the faxes contained a host of personally identifiable information and health information, including medical records, doctor’s notes, prescription amounts and quantities, as well as illness information, such as blood test results. The faxes also included names, addresses, dates of birth, and in some cases Social Security numbers and health insurance information and payment data.

The faxes also included personal data and health information on children. None of the data was encrypted.

Two leaked documents found on the fax server, redacted. (Image: TechCrunch)

The server was hosted on an subdomain of MedPharm Services, a Puerto Rico-based affiliate of Meditab, both founded by Kalpesh Patel. MedPharm was spun out as a separate company in San Juan to take advantage of tax breaks for those who set up businesses on the island.

TechCrunch verified the records by contacting several patients who confirmed their details from the faxes.

When reached about the security lapse, Patel said the company was “looking into the issue to identify the problem and solution,” but deferred comment to the company’s general counsel, Angel Marrero.

“We are still reviewing our logs and records to access the scope of any potential exposure,” said Marrero in an email.

We asked if the company planned to inform regulators and customers. Marrero said the company “will comply with any and all required notifications under current federal and state laws and regulations, as applicable.”

It’s not immediately known if anyone else discovered the exposed server, or how long the data was exposed.

Both Meditab and MedPharm claim to be compliant with HIPAA, the Health Insurance Portability and Accountability Act, which governs how healthcare providers properly manage patient data security.

Companies that expose data or violate the law can face hefty fines.

Last year was a year of “record” fines — some $25 million for several exposures and breaches, including $4.3 million in fines to the University of Texas for an inadvertent disclosure of encrypted personal health data, and a settlement by Fresenius was for $3.5 million following five separate breaches.

A spokesperson for the U.S. Department of Health and Human Services did not comment.