DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

More than 200,000 patients’ records were exposed on MedEvolve’s public FTP server – researcher

Posted on May 16, 2018 by Dissent

Common sense dictates that patients’ protected health information should not be made freely available on FTP servers that have no login required.  And yet it still happens, and has happened again.

Recently, this site learned of another FTP server exposing patients’ information. This particular  FTP server belongs to MedEvolve, an Arkansas company that provides practice management software. As we have seen in so many other leaks, this FTP server was set to permit anonymous login and had no banner telling people to keep out of the files with patients’ information.

No banner told people to stay out of the FTP server. No login creds were required, either.

The researcher who reported the leak to DataBreaches.net observed that a number of clients had files on the FTP server, and in all cases but two, the files were password-protected.

One of the two clients where no password or protection was deployed was Premier Urgent Care in Exton, Pennsylvania (there are a number of medical entities called Premier Urgent).

 

The sql database that was not secured contained more than 205,000 patient rows, the researcher reported.

The database contained more than 205,000 records.

More than 11,000 of the records reportedly included Social Security numbers.

A second MedEvolve client with exposed patient information on that FTP server was Dr. Beverly Held, a dermatologist in Corpus Christi, Texas.

 

Dr. Held’s files consisted of three .dat files. According to the screenshot the researcher provided this site, the files had last been modified on November 10, 2015. The researcher estimated that there were about 12,000 Social Security numbers exposed in the files.

On May 3, DataBreaches.net notified the two medical practices and MedEvolve.  At the request of Dr. Held’s staff, I also spoke with their outsource IT support firm.

That same day, the files were removed from public access.

And that was the last I heard until I started reaching out to them all again to ask what they had found and what they intended to do.  Dr. Held’s IT firm responded promptly to my inquiries and indicated that they were not responsible for the leak because this incident, if it occurred, predated their involvement with Dr. Held’s practice.  For every other question I posed, their answer was that MedEvolve was investigating.

Here are the questions I had/have for both entities and MedEvolve:

  • For how long were the Premier Urgent Care files exposed without any password required to access them?
  • For how long were Dr. Beverly Held’s patient files exposed without any password required to access them?
  • Were there access logs that showed how many times the patient data files may have been accessed and/or downloaded?
  • Whose responsibility was it to secure those files? MedEvolve? The clients’?
  • Will any patients be notified of this?
  • Will HHS be notified of this?
  • Did Premier Urgent Care and Dr. Beverly Held have business associate agreements in place with MedEvolve?
  • Did Premier Urgent Care and Dr. Beverly Held have risk assessments that included the files on this FTP server?
  • Why has not one person contacted me to ask what data/PHI I might be in possession of, or what data the researcher might be in possession of and would we destroy any data securely and provide an attestation to that data destruction?

DataBreaches.net did hear back from Matthew Rolfes, President & CEO of MedEvolve.  Rolfes thanked this site for alerting them, and wrote:

Our IT team, along with our healthcare lawyers, are aggressively investigating the situation. We have, and will, take any necessary steps in order to mitigate any adverse effects to the extent within our control.

We are also aware of HIPAA requirements applicable to Covered Entities and Business Associates in the event of a breach. Our company will comply accordingly.

I know you will understand that we cannot, on the advice of counsel disclose to you all aspects of the investigation.

There’s a big difference between not disclosing all and not disclosing anything. A little more transparency would be in order, I think.

So in any event, I am disclosing this incident on this site and we’ll see if/when it shows up on HHS’s public breach tool, either by MedEvolve or by one or both of the medical practices.

Related posts:

  • Due to HHS intervention, an FTP leak in 2018 is finally reported to patients
  • HHS Office for Civil Rights Settles HIPAA Investigation with Arkansas Business Associate MedEvolve Following Unlawful Disclosure of Protected Health Information on an Unsecured Server for $350,000
  • Massive Amount Of breached Chinese Government Servers By @DeadMellox
  • Premier Healthcare notifying 200,000 patients after laptop with PHI stolen from office (UPDATE3)
Category: Breach IncidentsCommentaries and AnalysesExposureHealth DataSubcontractor

Post navigation

← Ex-CIA employee ID’d but not charged in Vault 7 leak of hacking tools
Gadsden High students accused of changing grades, cannot graduate →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.