Privacy & Security

205,000 patient records exposed on misconfigured FTP server

MedEvolve, a practice management software vendor, left its FTP server open to the public without the need for a login.
By Jessica Davis
May 18, 2018
01:03 PM

Arkansas-based MedEvolve misconfigured its FTP server and exposed the data of 205,000 patients from two separate providers, the practice management software vendor confirmed to Healthcare IT News.

First discovered by DataBreaches.net, the FTP server was configured to allow anonymous login, did not require login credentials and failed to display a banner that would direct users to keep out of patient files.

While the database had numerous client files, only two clients were left without password protection: Pennsylvania-based Premier Urgent Care and Texas-based dermatologist Beverly Held, MD. Combined, the exposed database contained 205,000 patient rows of data. Held’s database had last been modified in 2015.

More than 11,000 records from Premier and 12,000 from Held’s office reportedly contained Social Security numbers.

[Also: The biggest healthcare data breaches of 2018 (so far)]

The researchers promptly notified the two providers and MedEvolve of security breach, and the files were removed from public access on the same day.

A MedEvolve spokesperson said the company is aware of the security incident and “the immediate issue has been resolved.”

“The company has taken appropriate action to prevent recurrence,” the spokesperson said. “In compliance with applicable laws and regulations, MedEvolve is working with the providers involved to take appropriate action.”

“This is not a systemwide issue,” they added. “This is an isolated issue impacting one current client and one former client. MedEvolve’s servers are secure….[and the company] is committed to maintaining the privacy and security of patient information and will continue to implement safeguards and measures to protect the data housed in company systems.”

The spokesperson also said the company is still investigating the source of information, which will likely determine how long the database was left open to the public.

MedEvolve’s leak is not unique to the vendor, as misconfigured databases continue to plague the healthcare sector. Gartner estimates that about 70 to 99 percent of these cases are caused by internal misconfiguration and stressed the issue could be mitigated by better internal policies of the organization’s IT infrastructure.

Healthcare Security Forum

The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Topics: 
Network Infrastructure, Privacy & Security

More regional news

Digital hospital equipment

HHS offers $50M to help providers patch ransomware vulnerabilities

By
Andrea Fox
May 20, 2024
Jen Easterly, CISA Director

CISA releases guidance for high-risk nonprofits

By
Andrea Fox
May 20, 2024
Craig Kwiatkowski of Cedars-Sinai on AI

Cedars-Sinai CIO's tips to ensure genAI is fair, appropriate, valid, effective and safe

By
Bill Siwicki
May 20, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Craig Kwiatkowski of Cedars-Sinai on AI
AI & ML Intelligence
Cedars-Sinai CIO's tips to ensure genAI is fair, appropriate, valid, effective and safe

Most Read

HHS seeks input from payers on Change cyberattack response
CISA, calling Volt Typhoon an urgent threat, updates DDoS response guide
Taiwanese hospital brings home two HIMSS digital maturity validations
EHRA on the 'big lift' of decision support certification
Cybersecurity bill would add caveat to provider payments
States step in to hasten provider recovery in wake of Change Healthcare cyberattack

Research

White Papers

More Whitepapers

Interoperability
Compliance & Legal
Artificial Intelligence

Webinars

More Webinars

Privacy & Security
Women In Health IT
Artificial Intelligence

Video

Hal Wolf_HIMSS24 Europe
HIMSS24 Europe to host AI operational and clinical efficiencies discussions
Doctor holding medical technology graphics Photo by Akarapong Chairean/iStock/Getty Images Plus
Cedars-Sinai CIO throttling genAI adoption for a safe and responsible deployment
Mette Maria Skjøth at Odense University Hospital_HIMSS24 Europe
Deploying AI to help anticipate patient health problems
Dr Georgi Chaltikyan at Deggendorf Institute of Technology
Clinician training on using AI tools could encourage adoption

More Stories

Dr Georgi Chaltikyan at Deggendorf Institute of Technology
Clinician training on using AI tools could encourage adoption
Abstract grid hovering above a city street grid
WEDI asks HHS to ensure info exchange capabilities after cyberattacks
Hospital staff review info on a tablet
Cyberattack fallout: Ascension and DocGo troubles ricochet
Dr. Reza Ryan Sadeghian at MITConn Consulting Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Docs get a helping hand from AI-enabled apps
A clinician reading a report from a desktop computer.
E-scripts platform MediSecure hit by 'large-scale...
Christopher Kunney_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
How US provider organizations can build underserved populations' trust
Bart de Witte at Hippo AI Foundation_HIMSS24 Europe
Work on open-source AI models continues, but obstacles remain
Healthcare worker puts hand on shoulder of person in wheelchair
EHRA recommends simplifying standards to scale SDOH