[BreachExchange] Unsecure Fax Server Leaked Patient Data

Destry Winant destry at riskbasedsecurity.com
Thu Mar 21 01:46:59 EDT 2019


A medical software vendor's unsecured fax server leaked patients'
medical information, highlighting yet again the importance of vendor
risk management.

Sacramento, Calif.-based Meditab Software Inc., which provides fax
services and other services for healthcare providers, leaked the
patient records through a fax server that was hosted by a subdomain of
one of its affiliate companies, MedPharm Services, based in Puerto
Rico, according to a March 17 report on news site TechCrunch.

Meditab's website says the privately held company provides software to
over 2,200 clients from over 35 medical specialties.

TechCrunch reports that SpiderSilk, a Dubai-based cybersecurity firm,
made the discovery that the exposed fax server was running a
Elasticsearch database with over 6 million records since its creation
in March 2018.

As of Monday, the incident did not appear on Department of Health and
Human Service's HIPAA Breach Reporting Tool website that lists major
health data breaches. It's not yet clear how many records were
potentially exposed or for how long.

Because the server allegedly had no password, anyone could read the
transmitted faxes in real time, SpiderSilk told TechCrunch. The faxes
contained a variety of information, including names, addresses,
medical information, prescription information and, in some cases,
Social Security numbers and payment data, the news site reports. And
apparently none of the data was encrypted, it states.

Meditab Response

Angel Marrero, general counsel at Meditab and MedPharm Services,
confirms to Information Security Media Group that MedPharm hosted the
unsecured fax server on its subdomain.

Marrero says the companies cannot yet disclose how long the fax server
was left unsecured, the number of individuals who were affected or how
the incident occurred because the incident is under review for the
scope of the potential exposure. "I can confirm that the fax server
was taken down immediately after we were notified," he says.

MedPharm Services and Meditab Software will comply with all required
notification requirements under federal and state regulations, he

"We are conducting a comprehensive security check of all our portals
and services to make sure they are secured," Marrero says. "In
addition, we will be implementing additional penetration testing as
part of our development and testing methodology. Lastly, the
management team has already conducted discussions to implement a bug
bounty program so that security researchers can report any flaws they
find directly and securely."

Marrerro adds: "We can assure all our customers and their patients
that we will do everything in our power to make sure this never
happens again."

Skipping the Basics

The apparent data exposure stemming from an unsecured fax server is
troubling for a variety of reasons, says Rebecca Herold, president of
Simbus, a privacy and cloud security services firm, and CEO of The
Privacy Professor consultancy.

"I'm coming across increasingly more B2B online services organizations
that are simply choosing not to implement basic information security
controls on their servers," she says.

Often these vendors will skip implementing necessary controls "with
the expressed opinion that they believe it is more important to 'be
agile' than to perform long-time known and necessary due diligence
data and systems security actions and implement the necessary
protections," she says. "Too many are simply willing to gamble with
their clients' data security that nothing will happen."

The security of fax servers, as well as fax machines, is often
overlooked, she adds.

"I've had business owners, and many start-up managed services
providers, tell me, 'No one uses faxes anymore. That is a waste of our
time to put attention to fax security if they are not used.' They push
forward with that flawed opinion, despite the advice of those of us
who have actually been working, and continue to work with, a wide
range of businesses of all sizes that regularly use fax transmissions
as part of their business processing."

The alleged lack of a password to protect the fax server and alleged
absence of encryptionare particularly concerning, Herold says.

"The breached organizations in this case will likely never know how
many others may have obtained all that sensitive patient data," she
says. "The crooks using it for fraud and other crimes, and selling it
to other criminals, are the only ones who will have any type of
insights into the answer to that question."

Lingering Problems

Despite the move to electronic health records, as well as growing
adoption of the Directprotocol for point-to-point encrypted healthcare
messaging, many healthcare providers in the U.S., especially smaller
entities, still rely on faxes for exchanging patient information and
sending prescriptions to pharmacies.

The U.K. in January banned National Health System healthcare trusts
from buying fax machines, and faxes will be phased out by March 31,
2020, in favor of more secure methods of communication, including
secure email, according to a statement issues last December by Matt
Hancock, the U.K's secretary of state for health and social care.

Privacy attorney David Holtzman of the security consultancy
CynergisTek says the Meditab mishap is a prime example of the risks
involving vendors.

"This incident has little to do with the prevalence in the use of fax
machines in healthcare. The root cause of this event was that the
cloud computing vendor did not secure their servers, resulting in
exposing the data to the internet," he says. "This represents a
fundamental failure to practice minimum information security
practices. We have seen these incidents over and over again with
cloud-based medical transcription vendors and healthcare billing

Other Vendor Mishaps

Many other vendors have also been implicated in security breaches
involving misconfigured servers.

For instance, last November, the New Jersey state attorney general
office signed a $200,000 settlement with Best Medical Transcription
for a 2016 breach involving the misconfiguring a server that publicly
exposed protected health information - including the names and medical
diagnoses of more than 1,600 patients treated by Marlton, New
Jersey-based Virtua Medical Group.

The New Jersey attorney general's office last April also signed a
nearly $418,000 settlement with Virtua Medical Group.

The cases against Best Medical Transcription and Virtua Medical Group
alleged violations of HIPAA and the New Jersey Consumer Fraud Act.

Healthcare providers cannot rely on a cloud computing vendors' claims
they are "HIPAA compliant," Holtzman says.

"It's crucial for healthcare organizations to have a vendor security
management program in place to verify that business associates are
continuously safeguarding the information security of PHI and PII," he
says. "Don't place a high level of trust in a certification that is
the result of a one-and-done cybersecurity assessment."

Good vendor management practices call for a covered entity to work
with their contractors to employ a risk-based strategy to assess the
potential for compromise of data, Holtzman stresses. "Organizations
must aggressively pursue getting answers to questions about how their
e-PHI will be safeguarded."

More information about the BreachExchange mailing list