A potential breach at Meditab Software Inc. affects two healthcare companies in Maryland. Meditab is a business associate of the two companies providing EMR and practice management software. As such, its systems include patient protected health information (PHI). Meditab discovered in March 2019 that some PHI were left unsecured.

Meditab had developed a website to access statistics meant for its Fax Cloud services. All faxes have statistics to maintain, but the fax server does not store images. When transmitting faxes, there’s a temporarily available hyperlink to the fax image stored on a separate and secure server until the receipt of the fax is confirmed. Then the link is deleted.

To access the portal, usernames and passwords are used. However, a Meditab programmer disabled this authentication feature without authorization in January. During the time that authentication was disabled, some faxes that contain medical data were accessible from January 9 to March 14, 2019. Several faxes stayed in the failed queue and may have been viewed until the correction of the problem. Meditab explained that less than 5% of the faxes were exposed. A security firm discovered the unprotected portal; there’s no proof that suggest other people discovered the portal or viewed faxes.

The following information may have been exposed: names, addresses, telephone numbers, birth dates, and medical data and consultation notes, including diagnoses and treatment data.

The company recently advised Capitol Cardiology Associates (CCA) and Southern Maryland Medical Group (SMMG) about the exposure of some of their patients’ PHI.

Meditab claimed the search engines do not crawl the analytics portal, so it shouldn’t be easy to discover the portal. Nonetheless, if an unauthorized person found the portal, fax messages could have been opened individually with option to download or print the faxes. Meditab is convinced there is a low risk of harm to patients.

The breach reports sent to the HHS’ Office for Civil Rights indicate that 1,400 SMMG and 1,980 CCA patients were affected. There is no other report as of this time regarding other healthcare providers affected by the breach.