22,000 dental patients’ info exposed on unsecured Eaglesoft FTP server
Eaglesoft software by Patterson Dental is a popular patient management system. But just as one security researcher had concerns about patient data security in Henry Schein’s Dentrix G5 software, he’s also had concerns about Eaglesoft, albeit for different reasons. He contacted this site on February 6 and notified CERT of his concern:
Eaglesoft does seem to use a Connection String in the registry, and this can be changed, but it must also be changed in the database, and I can promise you NOBODY will change this. Eaglesoft has been using “dba” as a username and “sql” as a password for years and years and years. Changing this involves a bit of work, most dental IT guys will not ever be asked to change the BACKEND database password.
CERT has now issued a VU number for the report -VU#344432 – and will be contacting Eaglesoft to discuss the concern.
Also of concern, in the process of looking into Eaglesoft, the researcher discovered that some of Patterson Dental clients’ patient databases were unsecured on Eaglesoft’s FTP server.
DataBreaches.net sent a security alert/notification about the situation to Patterson Dental on February 6, and receiving no substantive acknowledgement, emailed them twice more over the next few days. DataBreaches.net also notified – or attempted to notify – affected Eaglesoft clients to alert them that their patients’ data was exposed.
Information provided by the researcher indicated that the exposed databases included two from Canadian dental practices, one from a U.S. dental group, and one from a U.S. dentist employed by Patterson:
Timberlea Dental Clinic (Alberta, Canada): Approximately 2,300 patients had their information exposed, including patient ID, first and last name, age, responsible party, home telephone number, date of last visit, recall date, LPA, NPA, NRA, recall type, and recall status. DataBreaches.net attempted notification via their contact form but got no response. The researcher spoke to them a few days later.
Dr. M Stemalschuk (Canada): There were two files. One was password-protected. The other was a zip file with an Eaglesoft database with health and insurance information on approximately 15,000 patients: name, date of birth, address, telephone number, gender, marital status, employer, insurance carrier, and insurance member ID. The researcher also noted 10 SSN. Note: DataBreaches.net did not contact this practice because they had no email address on their website or contact form. The researcher called them.
Massachusetts General Hospital Dental Group had protected health information on some of its patients exposed in a transaction log. The data included patient first and last names, the provider’s name, the patient’s ID number, their date of birth, their Social Security number, gender, and chart ID number. All of the data were plain text. The researcher informs DataBreaches.net that there were 5,424 unique patient names in the database with 4,396 Social Security numbers. Their HIPAA compliance office thanked DataBreaches.net for notifying them and immediately launched an investigation.
Rob McCanon (CEREC specialist, Patterson Dental): a directory of almost three dozen named patients from 2009 was exposed. The files were image files (CDT), and the index was last updated in 2011. Because the researcher did not download or explore any of the individual CDT files, it is not known whether the image files also contained PHI such as patient names or if they were only images. DataBreaches.net notified Dr. McCanon via email, but received no response or acknowledgement.
By February 8, the FTP server was taken offline, but Patterson Dental has not responded to inquiries from this site asking:
- For how long patient data had been left unsecured on the server,
- How this happened,
- How many patients, total, had PHI exposed or left vulnerable because of
- What Patterson Dental was doing in the way of notification and harm
- Whether Patterson Dental would be reporting this incident to HHS.
If Patterson Dental does provide more information or if any of the affected clients provide more details, this post will be updated.
Correction: This post previously noted that the researcher had found 90 plaintext user passwords in Dr. Stemalschuk’ data. Post-publication, the researcher clarified that the plaintext passwords table found in Dr. M Stemalschuk’ database have been present in every Eaglesoft database he has analyzed, and that Eaglesoft version 17 and below stored these passwords in plaintext. There is no indication in this case, however, that Dr. Stemalshuk used these passwords.