Two Maryland medical practices notify patients after business associate error exposes patient information

Maryland-based Capitol Cardiology Associates (CCA) and Southern Maryland Medical Group (SMMG) are notifying patients because of an incident involving a third-party vendor/business associate.

According to their notification letters, on March 14, Meditab Software, Inc. became aware of a potential breach involving protected health information (phi). The breach may have included patients’ medical records or visit notes (diagnosis and treatment), patient names, addresses, dates of birth, and phone numbers.

Meditab reportedly identified the duration of the potential data breach to be between January 9, 2019 and March 14, 2019.  Meditab also explained how the incident occurred. As described by CCA and SMMG:

Meditab has notified us that the incident involving PHI was an issue with a certain portal that allowed Meditab to view statistics for its Fax Cloud services.  This analytics platform maintained statistics on all faxes sent but did not have any images directly on the server.  However, as the fax was being transmitted, a link to the fax image on a separate and secure server was temporarily available until the fax sent confirmation was received.  Once the fax was sent, this link was no longer active.  This portal was intended for Meditab use, only, and initially was deployed with username/password authentication in place.  However, on January 9, 2019, this authentication was removed without authorization by one of Meditab’s programmers.

Meditab reportedly found that a limited number of faxes were discoverable until the time the incident was reported.

The entities somewhat understandably view this incident as resulting in a low risk of any harm to patients, further explaining:

While the analytics portal was not searchable or crawlable on any search engines, if the portal was found, any faxes that were discoverable would have to be accessed individually in a separate window in order to download or print.

Both entities have posted copies of their notification letters on their web sites and have reported the incident to HHS.  CCA is notifying 1980 patients, while SMMG is notifying 1400 of its patients.

DataBreaches.net contacted Meditab Software to inquire as to how many other clients or how many patients, total, have been notified of this incident, but did not receive an immediate response.

About the author: Dissent