Lack of Authentication Controls on MedEvolve FTP Server Exposed Patients’ PHI

Data Breach

An FTP server used by MedEvolve, a provider of billing and medical record services to healthcare providers, was left unsecured from March 29, 2018 to May 4, 2018 resulting in the exposure of the protected health information (PHI) of patients. While the FTP server had authentication controls in place, on March 29, 2018, those controls were accidentally removed. On the same day, the FTP server was accessed by an unknown third party. The lack of authentication controls and data breach was discovered by MedEvolve on May 11, 2018.

The breach report submitted to the California Attorney General’s Office explained that the information of patients of Premier Immediate Medical Care was contained in a file stored on the server. MedEvolve has not publicly disclosed the number of individuals impacted by the breach, and the incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal.

A security researcher discovered the unsecure FTP server in May and alerted databreaches.net about the exposure of PHI. The databreaches.net report on the incident mentioned that the compromised file holds about 205,000 lines of patient data, where each line represents the data of a different patient. The file also contained over 11,000 Social Security numbers. Patient information was stored in three .dat files belonging to one MedEvolve client and a file containing information of patients of Beverly L. Held, M.D., a corpus Christi dermatologist, was also present n the server, which is believed to contain approximately 12,000 Social Security numbers.

The MedEvolve breach report stated that the Premier Immediate Medical Care file contained names, telephone numbers, billing addresses, medical insurance numbers, medical insurer names and Social Security numbers.

MedEvolve said the FTP server was immediately secured when the breach was discovered to stop further unauthorized access. A third party computer forensics firm was contracted to conduct a full investigation into the breach and that investigation is ongoing. MedEvolve is implementing additional security controls to protect the privacy and security of data and prevent further breaches.

Because of the exposure of sensitive data, MedEvolve is offering 2 years of free credit monitoring services via myTrueIdentity to all affected patients. Patients are also covered by a $1,000,000 identity theft insurance policy.