Meditab had established a portal to view statistics for its Fax Cloud services. Statistics were held on all faxes, but no images were stored directly on the fax server. When faxes were sent, a link to the fax image on a separate and secure server was temporarily available until the fax was confirmed as having been seen by the intended recipient. When receipt was confirmed, the link is no longer viewable.
Usernames and passwords were necessary to obtain access to the portal; however, in January, a Meditab programmer turned off authentication without authorization. While authentication was turned off, a restricted number of faxes containing medical data were view able between January 9 and March 14, 2019. A restricted number of faxes remained in the failed queue and could have been seen up until the issue was discovered and remedied. Meditab said less than 5% of the faxes that passed via the system were exposed. The portal was first seen by a security firm; however, nothing was found to suggest any other individuals had found the portal or accessed faxes.
The exposed data may have included names, addresses, phone numbers, dates of birth, and medical records and treatment remarks, which may include diagnoses and treatment details.
The firm recently informed Capitol Cardiology Associates (CCA) and Southern Maryland Medical Group (SMMG) that the PHI of some of their patients had been exposed due to the data breach.
Meditab has commented that at no time could its analytics portal be searched or crawled by search engines, so discovering the portal would not have been straightforward. However, if the portal was found, an unauthorized individual could have opened the fax messages individually and had the option of downloading or printing those faxes for later review. Meditab believes the danger of harm to patients is low.
According to the breach reports filed to the HHS’ Office for Civil Rights, 1,980 CCA patients and 1,400 SMMG patients have been impacted by the breach.
It is currently not known whether any other healthcare suppliers have been impacted by the breach.