Data from 2,300 providers breached by medical transcriptionist service
Kansas-based MEDantex breached the patient data from at least 2,300 providers after leaving a portion of its site open to the internet, according to security researcher Brian Krebs.
The medical transcription service vendor took down its customer web portal last week after Krebs notified the company it was leaking patient data. The affected platform was where providers could upload audio notes from their patients and was meant to be password-protected.
Misconfigured databases continue to plague the industry and are most often caused by user error. In fact, insider errors outnumber outside threat actors in the healthcare industry, according to Verizon’s latest breach report.
In the case of MEDantex. a variety of its web tools meant for use by employees were exposed to the internet as well, Krebs reported. This included administration tools that let anyone who visited the page add or delete users and search for medical records by patient or provider names.
In all affected areas, no authentication was required to gain access.
MEDantex founder Sreeram Pydah told Krebs that WEBantex had recently rebuilt its site after a ransomware attack when the site was taken down for two weeks. It appears the open access was accidentally included in the rebuild.
While it’s unclear how many patient records were included in the breach, the exposed data included information from as early as 2007. Krebs also could not determine how long the data had been exposed, but access was open on April 10, 2018.
As a business associate, the breach will need to be reported to the U.S. Department of Health and Human Services. So far, as the company was notified within the last few weeks, the breach is not currently up on the Office of Civil Rights’ breach reporting wall.
The transcriptionist service client list boasts some big healthcare names, including New York University Medical Center, the Kansas Spine Center, the nationwide Foundation Surgical hospitals and Arizona-based Trillium Specialty Hospital, to name a few.
The MEDantex breach should serve as a reminder for organizations to closely monitor those functions when moving and maintaining data online.
Healthcare Security Forum
The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12.