MEDantex, a transcription service provider, accidentally left patient medical records unsecured and freely accessible to anyone without the need of a password. The error in restricting access to a physician’s portal resulted in the exposure of thousands of patients’ PHI.
Many hospitals and physicians choose MEDantex for their medical transcription services. They upload audio files to the MEDantex website, which the company’s employees access and transcribe. The files with transcribed notes are uploaded to the website or physician’s portal and could be downloaded by the hospitals and physicians. Only users who are authenticated by a password can gain access to the MEDantex portal.
Unfortunately, it was discovered recently by Brian Krebs that certain portions of the MEDantex website lacked authentication controls allowing anyone who visits those portions on their browser to access stored patient data. Brian Krebs of KrebsOnSecurity reported that several tools supposedly used only by the MEDantex staff were also accessed by unauthorized individuals. The tools were used to add and remove users, find information about named patients and search for patients of particular physicians.
According to Brian Krebs, the names of 2,300 physicians all over the country are listed on the site. Each had a directory that contained audio files and files of transcribed medical notes. These files were all freely downloadable because of the glitch. The portal error is believed to have been introduced when the MEDantex portal was rebuilt. The MEDantex website was attacked by ransomware and all data on the portal was encrypted. During the restoration of data and rebuilding of the portal, password protection was removed resulting in the portal error.
When Brian Krebs told MEDantex about the error, the portal was taken offline right away and investigated. Even if the website is no longer online, a Google cache of the site still shows the accessible files since April 10, 2018. The exact number of patients’ PHI that was exposed is still unknown. Most likely there were thousands of patients’ PHI exposed. There’s no confirmed report if any PHI was downloaded by unauthorized persons during the time of the breach.