It looks like HHS followed up on a leak first reported by DataBreaches.net in May, 2018. At the time, this site noted that two MedEvolve clients had exposed data. One of them was Beverly Held, M.D. A researcher had found .dat files exposed without any login required and estimated that there were approximately 12,000 SSNs in the exposed data.
As I reported at the time, neither Dr. Held’s office nor MedEvolve really answered my questions at the time about the incident and I noted that more transparency was in order.
Yesterday, MedEvolve issued a press release:
As a result of its cooperation with the U.S. Department of Health and Human Services over the past two years, MedEvolve, a provider of practice management software to physician practices, is providing notice of a previous data security incident to patients of a former customer, Beverly L. Held, MD (“Dr. Held”) in Corpus Christi, Texas.
This press release supplements the initial press release made by MedEvolve on July 10, 2018 regarding the data security incident. As previously announced, on or about May 4, 2018, MedEvolve discovered that an FTP server containing a file with an undecipherable combination of names, billing addresses, telephone numbers, primary health insurer and doctor’s office account numbers and in some instances, Social Security numbers, relating to certain patients of Dr. Held, was inadvertently accessible to the internet. Upon discovery, MedEvolve immediately secured the server, then launched an investigation with the help of third-party digital forensic experts. Following the conclusion of the investigation, MedEvolve determined that although the file could have been accessed via the internet until May 4, 2018, the file was undecipherable without entering it into MedEvolve’s proprietary software.
Based on the results of a third-party investigation, MedEvolve concluded at that time there was a low probability of compromise and risk to the data from Dr. Held’s office due to the undecipherable nature of the file, which is why notification was not made earlier. However, in consultation and in compliance with recent instructions from the U.S. Department of Health and Human Services, MedEvolve is providing notice at this time.
At the time of this notice, there is no evidence that anyone’s personal information has been misused as a result of this incident. However, it is best practice to regularly review and monitor account statements and credit reports and to report any suspected identity theft to local law enforcement, state Attorney General, or the Federal Trade Commission.
In response to this incident, MedEvolve is providing complimentary credit monitoring and identity theft protection services to the patients affected by this incident. Those individuals will receive a letter with instructions on how to access those services, and similar information is posted on the MedEvolve website, at www.medevolve.com/notice-privacy-incident.
As part of MedEvolve’s ongoing commitment to data security, following the incident, the company implemented additional safeguards to enhance the privacy and security of information in its IT systems, and is committed to protecting the sensitive information in its care.