DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Update on Meditab breach

Posted on April 17, 2019 by Dissent

On March 19, this blog linked to a TechCrunch report about an improperly secured Meditab fax server that potentially allowed fax images with patient information to be accessed from an analytics portal. The exposure had been found by SpiderSilk, a cybersecurity firm in Dubai, who estimated that 6 million images were potentially accessible.  The TechCrunch report noted that:

The exposed fax server was running a Elasticsearch database with over six million records since its creation in March 2018. Because the server had no password, anyone could read the transmitted faxes in real-time — including their contents.

Last night, I spoke with Angel Marrero, MedPharm’s general counsel, who responded to my request for an update as to what their investigation had shown.

According to Marrero, their investigation showed that there were maybe 200,000 fax images that were actually on the server and potentially accessible. They found no evidence that anyone other than the researches had accessed the images and that they had not been scraped, but the firm had been unable to connect with SpiderSilk to ask them questions or seek clarification.

All told, Marrero informs this site that they had about 400 clients affected by this incident that they notified.  Approximately 100 of them had 500 or more images accessible via the portal and will be notifying HHS and affected patients or will be having Meditab notify HHS and/or the patients.  The other 300 clients reportedly have fewer than 500 images or patients involved, and so will be notifying HHS or having Meditab notify HHS before next year’s deadline for incidents involving less than 500 patients.

Marrero did not give DataBreaches.net an exact number of how many patients, total, were affected as they are still investigating that, but his current best estimate is that approximately 150,000 patients may have been affected.

Obviously, that’s concerning, particularly when you remember that these are often medical reports complete with a lot of medical history and sensitive information that is not encrypted, but by the same token it’s nowhere near as bad as headlines that raise the specter of 6 million affected or learning that the data had been found and exfiltrated by those with malignant intent.

Because some of Meditab’s clients have opted to notify HHS themselves, we may find ourselves seeing a number of breach reports that do not name Meditab and where we may not understand that the report was part of this breach.  Next month could be messy that way.

 

Related posts:

  • Two Maryland medical practices notify patients after business associate error exposes patient information
  • 34 more india sites hacked and defaced by Bangladesh Cyber Army
Category: Breach IncidentsExposureHealth DataSubcontractorU.S.

Post navigation

← Klaussner Furniture Notified More than 9,000 Employees and Their Dependents of a Data Security Incident Involving Health Plan Data
Criminals are putting up old tax returns for sale on the dark web →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.