More than 200,000 patients’ records were exposed on MedEvolve’s public FTP server – researcher
Common sense dictates that patients’ protected health information should not be made freely available on FTP servers that have no login required. And yet it still happens, and has happened again.
Recently, this site learned of another FTP server exposing patients’ information. This particular FTP server belongs to MedEvolve, an Arkansas company that provides practice management software. As we have seen in so many other leaks, this FTP server was set to permit anonymous login and had no banner telling people to keep out of the files with patients’ information.
The researcher who reported the leak to DataBreaches.net observed that a number of clients had files on the FTP server, and in all cases but two, the files were password-protected.
One of the two clients where no password or protection was deployed was Premier Urgent Care in Exton, Pennsylvania (there are a number of medical entities called Premier Urgent).
The sql database that was not secured contained more than 205,000 patient rows, the researcher reported.
More than 11,000 of the records reportedly included Social Security numbers.
A second MedEvolve client with exposed patient information on that FTP server was Dr. Beverly Held, a dermatologist in Corpus Christi, Texas.
Dr. Held’s files consisted of three .dat files. According to the screenshot the researcher provided this site, the files had last been modified on November 10, 2015. The researcher estimated that there were about 12,000 Social Security numbers exposed in the files.
On May 3, DataBreaches.net notified the two medical practices and MedEvolve. At the request of Dr. Held’s staff, I also spoke with their outsource IT support firm.
That same day, the files were removed from public access.
And that was the last I heard until I started reaching out to them all again to ask what they had found and what they intended to do. Dr. Held’s IT firm responded promptly to my inquiries and indicated that they were not responsible for the leak because this incident, if it occurred, predated their involvement with Dr. Held’s practice. For every other question I posed, their answer was that MedEvolve was investigating.
Here are the questions I had/have for both entities and MedEvolve:
- For how long were the Premier Urgent Care files exposed without any password required to access them?
- For how long were Dr. Beverly Held’s patient files exposed without any password required to access them?
- Were there access logs that showed how many times the patient data files may have been accessed and/or downloaded?
- Whose responsibility was it to secure those files? MedEvolve? The clients’?
- Will any patients be notified of this?
- Will HHS be notified of this?
- Did Premier Urgent Care and Dr. Beverly Held have business associate agreements in place with MedEvolve?
- Did Premier Urgent Care and Dr. Beverly Held have risk assessments that included the files on this FTP server?
- Why has not one person contacted me to ask what data/PHI I might be in possession of, or what data the researcher might be in possession of and would we destroy any data securely and provide an attestation to that data destruction?
DataBreaches.net did hear back from Matthew Rolfes, President & CEO of MedEvolve. Rolfes thanked this site for alerting them, and wrote:
Our IT team, along with our healthcare lawyers, are aggressively investigating the situation. We have, and will, take any necessary steps in order to mitigate any adverse effects to the extent within our control.
We are also aware of HIPAA requirements applicable to Covered Entities and Business Associates in the event of a breach. Our company will comply accordingly.
I know you will understand that we cannot, on the advice of counsel disclose to you all aspects of the investigation.
There’s a big difference between not disclosing all and not disclosing anything. A little more transparency would be in order, I think.
So in any event, I am disclosing this incident on this site and we’ll see if/when it shows up on HHS’s public breach tool, either by MedEvolve or by one or both of the medical practices.