On March 19, this blog linked to a TechCrunch report about an improperly secured Meditab fax server that potentially allowed fax images with patient information to be accessed from an analytics portal. The exposure had been found by SpiderSilk, a cybersecurity firm in Dubai, who estimated that 6 million images were potentially accessible. The TechCrunch report noted that:
The exposed fax server was running a Elasticsearch database with over six million records since its creation in March 2018. Because the server had no password, anyone could read the transmitted faxes in real-time — including their contents.
Last night, I spoke with Angel Marrero, MedPharm’s general counsel, who responded to my request for an update as to what their investigation had shown.
According to Marrero, their investigation showed that there were maybe 200,000 fax images that were actually on the server and potentially accessible. They found no evidence that anyone other than the researches had accessed the images and that they had not been scraped, but the firm had been unable to connect with SpiderSilk to ask them questions or seek clarification.
All told, Marrero informs this site that they had about 400 clients affected by this incident that they notified. Approximately 100 of them had 500 or more images accessible via the portal and will be notifying HHS and affected patients or will be having Meditab notify HHS and/or the patients. The other 300 clients reportedly have fewer than 500 images or patients involved, and so will be notifying HHS or having Meditab notify HHS before next year’s deadline for incidents involving less than 500 patients.
Marrero did not give DataBreaches.net an exact number of how many patients, total, were affected as they are still investigating that, but his current best estimate is that approximately 150,000 patients may have been affected.
Obviously, that’s concerning, particularly when you remember that these are often medical reports complete with a lot of medical history and sensitive information that is not encrypted, but by the same token it’s nowhere near as bad as headlines that raise the specter of 6 million affected or learning that the data had been found and exfiltrated by those with malignant intent.
Because some of Meditab’s clients have opted to notify HHS themselves, we may find ourselves seeing a number of breach reports that do not name Meditab and where we may not understand that the report was part of this breach. Next month could be messy that way.