Transcription Company Web Portal Breach Exposed Patients’ Medical Notes
MEDantex, a transcription company, inadvertently left patient healthcare information unsecured and openly accessible to any person with no need of a security password. The problem in limiting access to a doctor’s web portal caused the disclosure of a large number of patients’ PHI.
Several hospitals and doctors use MEDantex as their medical transcription provider. They post audio recordings to the MEDantex site and the company’s personnel access the files and transcribe. The files containing transcribed information are uploaded to the doctor’s web portal again and may be downloaded by the hospitals and doctors. Only users that have authenticated password could get access to the MEDantex web portal.
Sadly, it was found out lately by Brian Krebs that selected parts of the MEDantex web portal didn’t have authentication controls letting any person who visits those areas on their browser to view stored patient information. Brian Krebs of KrebsOnSecurity noted that a number of tools supposedly accessible only to the MEDantex personnel were likewise accessed by persons with no authorization. The tools were utilized to modify users, locate details about named patients and look for patients of certain doctors.
As reported by Brian Krebs, there are 2,300 names of doctors from the entire country listed on the website. Each one had an index of audio files and transcribed medical notes files. The files were all readily downloadable as a result of glitch. The web portal error may have occurred during the rebuilding of the MEDantex portal. The MEDantex website suffered a ransomware attack which resulted to the encryption of all data on the portal. During the data restoration and rebuilding of the website, password protection was disabled causing the portal error.
As soon as Brian Krebs informed MEDantex concerning the problem, the web portal was taken off the internet immediately and investigated. Although the website is not available online, a Google cache of the website continues to show the viewable files since April 10, 2018. The actual number of patients whose PHI was compromised is still not known. Probably the PHI of thousands of patients was exposed. There is no verified record yet if any PHI was acquired by unauthorized individuals when the breach occurred.