DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

More than 200,000 patients’ records were exposed on MedEvolve’s public FTP server – researcher

Posted on May 16, 2018 by Dissent

Common sense dictates that patients’ protected health information should not be made freely available on FTP servers that have no login required.  And yet it still happens, and has happened again.

Recently, this site learned of another FTP server exposing patients’ information. This particular  FTP server belongs to MedEvolve, an Arkansas company that provides practice management software. As we have seen in so many other leaks, this FTP server was set to permit anonymous login and had no banner telling people to keep out of the files with patients’ information.

No banner told people to stay out of the FTP server. No login creds were required, either.

The researcher who reported the leak to DataBreaches.net observed that a number of clients had files on the FTP server, and in all cases but two, the files were password-protected.

One of the two clients where no password or protection was deployed was Premier Urgent Care in Exton, Pennsylvania (there are a number of medical entities called Premier Urgent).

 

The sql database that was not secured contained more than 205,000 patient rows, the researcher reported.

The database contained more than 205,000 records.

More than 11,000 of the records reportedly included Social Security numbers.

A second MedEvolve client with exposed patient information on that FTP server was Dr. Beverly Held, a dermatologist in Corpus Christi, Texas.

 

Dr. Held’s files consisted of three .dat files. According to the screenshot the researcher provided this site, the files had last been modified on November 10, 2015. The researcher estimated that there were about 12,000 Social Security numbers exposed in the files.

On May 3, DataBreaches.net notified the two medical practices and MedEvolve.  At the request of Dr. Held’s staff, I also spoke with their outsource IT support firm.

That same day, the files were removed from public access.

And that was the last I heard until I started reaching out to them all again to ask what they had found and what they intended to do.  Dr. Held’s IT firm responded promptly to my inquiries and indicated that they were not responsible for the leak because this incident, if it occurred, predated their involvement with Dr. Held’s practice.  For every other question I posed, their answer was that MedEvolve was investigating.

Here are the questions I had/have for both entities and MedEvolve:

  • For how long were the Premier Urgent Care files exposed without any password required to access them?
  • For how long were Dr. Beverly Held’s patient files exposed without any password required to access them?
  • Were there access logs that showed how many times the patient data files may have been accessed and/or downloaded?
  • Whose responsibility was it to secure those files? MedEvolve? The clients’?
  • Will any patients be notified of this?
  • Will HHS be notified of this?
  • Did Premier Urgent Care and Dr. Beverly Held have business associate agreements in place with MedEvolve?
  • Did Premier Urgent Care and Dr. Beverly Held have risk assessments that included the files on this FTP server?
  • Why has not one person contacted me to ask what data/PHI I might be in possession of, or what data the researcher might be in possession of and would we destroy any data securely and provide an attestation to that data destruction?

DataBreaches.net did hear back from Matthew Rolfes, President & CEO of MedEvolve.  Rolfes thanked this site for alerting them, and wrote:

Our IT team, along with our healthcare lawyers, are aggressively investigating the situation. We have, and will, take any necessary steps in order to mitigate any adverse effects to the extent within our control.

We are also aware of HIPAA requirements applicable to Covered Entities and Business Associates in the event of a breach. Our company will comply accordingly.

I know you will understand that we cannot, on the advice of counsel disclose to you all aspects of the investigation.

There’s a big difference between not disclosing all and not disclosing anything. A little more transparency would be in order, I think.

So in any event, I am disclosing this incident on this site and we’ll see if/when it shows up on HHS’s public breach tool, either by MedEvolve or by one or both of the medical practices.

Category: Breach IncidentsCommentaries and AnalysesExposureHealth DataSubcontractor

Post navigation

← Ex-CIA employee ID’d but not charged in Vault 7 leak of hacking tools
Gadsden High students accused of changing grades, cannot graduate →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.