DataBreaches.net

DataBreaches.net

The Office of Inadequate Security

Menu
  • Breach Laws
  • About
  • Donate
  • Contact
  • Privacy
  • Transparency Reports
Menu

More than 200,000 patients’ records were exposed on MedEvolve’s public FTP server – researcher

Posted on May 16, 2018 by Dissent

Common sense dictates that patients’ protected health information should not be made freely available on FTP servers that have no login required.  And yet it still happens, and has happened again.

Recently, this site learned of another FTP server exposing patients’ information. This particular  FTP server belongs to MedEvolve, an Arkansas company that provides practice management software. As we have seen in so many other leaks, this FTP server was set to permit anonymous login and had no banner telling people to keep out of the files with patients’ information.

No banner told people to stay out of the FTP server. No login creds were required, either.

The researcher who reported the leak to DataBreaches.net observed that a number of clients had files on the FTP server, and in all cases but two, the files were password-protected.

One of the two clients where no password or protection was deployed was Premier Urgent Care in Exton, Pennsylvania (there are a number of medical entities called Premier Urgent).

 

The sql database that was not secured contained more than 205,000 patient rows, the researcher reported.

The database contained more than 205,000 records.

More than 11,000 of the records reportedly included Social Security numbers.

A second MedEvolve client with exposed patient information on that FTP server was Dr. Beverly Held, a dermatologist in Corpus Christi, Texas.

 

Dr. Held’s files consisted of three .dat files. According to the screenshot the researcher provided this site, the files had last been modified on November 10, 2015. The researcher estimated that there were about 12,000 Social Security numbers exposed in the files.

On May 3, DataBreaches.net notified the two medical practices and MedEvolve.  At the request of Dr. Held’s staff, I also spoke with their outsource IT support firm.

That same day, the files were removed from public access.

And that was the last I heard until I started reaching out to them all again to ask what they had found and what they intended to do.  Dr. Held’s IT firm responded promptly to my inquiries and indicated that they were not responsible for the leak because this incident, if it occurred, predated their involvement with Dr. Held’s practice.  For every other question I posed, their answer was that MedEvolve was investigating.

Here are the questions I had/have for both entities and MedEvolve:

  • For how long were the Premier Urgent Care files exposed without any password required to access them?
  • For how long were Dr. Beverly Held’s patient files exposed without any password required to access them?
  • Were there access logs that showed how many times the patient data files may have been accessed and/or downloaded?
  • Whose responsibility was it to secure those files? MedEvolve? The clients’?
  • Will any patients be notified of this?
  • Will HHS be notified of this?
  • Did Premier Urgent Care and Dr. Beverly Held have business associate agreements in place with MedEvolve?
  • Did Premier Urgent Care and Dr. Beverly Held have risk assessments that included the files on this FTP server?
  • Why has not one person contacted me to ask what data/PHI I might be in possession of, or what data the researcher might be in possession of and would we destroy any data securely and provide an attestation to that data destruction?

DataBreaches.net did hear back from Matthew Rolfes, President & CEO of MedEvolve.  Rolfes thanked this site for alerting them, and wrote:

Our IT team, along with our healthcare lawyers, are aggressively investigating the situation. We have, and will, take any necessary steps in order to mitigate any adverse effects to the extent within our control.

We are also aware of HIPAA requirements applicable to Covered Entities and Business Associates in the event of a breach. Our company will comply accordingly.

I know you will understand that we cannot, on the advice of counsel disclose to you all aspects of the investigation.

There’s a big difference between not disclosing all and not disclosing anything. A little more transparency would be in order, I think.

So in any event, I am disclosing this incident on this site and we’ll see if/when it shows up on HHS’s public breach tool, either by MedEvolve or by one or both of the medical practices.

Related Posts:

  • Follow-Up: MedEvolve provides notice of leaky FTP server
  • Due to HHS intervention, an FTP leak in 2018 is…
  • HHS Office for Civil Rights Settles HIPAA…
  • Massachusetts General Hospital Dental Group notifies…
  • Server theft at Arkansas eye clinic could affect…

Post navigation

← Ex-CIA employee ID’d but not charged in Vault 7 leak of hacking tools
Gadsden High students accused of changing grades, cannot graduate →

Sponsored or Paid Posts

This site doesn’t accept sponsored posts and doesn’t respond to requests about them.

Have a News Tip?

Email:

Breaches[at]Protonmail.ch
Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Telegram: @DissentDoe

Browse by News Section

Latest Posts

  • Ransomware group ‘Black Basta’ has raked in more than $100 million -researchers
  • DFS Announces $1 Million Cybersecurity Settlement With First American Title Insurance Company
  • ID Theft Service Resold Access to USInfoSearch Data
  • Okta admits hackers accessed data on all customers during recent breach
  • Hackers breach Israel intelligence group’s website
  • Queensland passes mandatory data breach notice laws
  • A cyberattack hit thousands of people in Louisiana. They’re still in the dark months later. (1)
  • KidSecurity’s user data compromised after app failed to set password

Please Donate

If you can, please donate XMR to our Monero wallet because the entities whose breaches we expose are definitely not supporting our work and are generally trying to chill our speech!

Donate- Scan QR Code   Donate!

Social Media

Find me on Infosec.Exchange.

I am also on Telegram @DissentDoe.

RSS

Grab the RSS Feed

Copyright

© 2009 – 2023, DataBreaches.net and DataBreaches LLC. All rights reserved.

HIGH PRAISE, INDEED!

“You translate “Nerd” into understandable “English” — Victor Gevers of GDI Foundation, talking about DataBreaches.net

©2023 DataBreaches.net