California company Meditab, which makes medical records software for hospitals, doctor’s offices, and pharmacies, exposed data on a server without a password (via TechCrunch).
Besides medical records software, Meditab also processes faxes for healthcare providers, and it was a fax server that wasn’t secured. Dubai security company SpiderSilk found the server. It ran an Elasticsearch database containing over six million records since March 2018.
Without a password, anyone could read the faxes in real-time. Doctor’s notes, medical records, prescriptions, personal data and health data of kids, etc., were all exposed because they were stored in unencrypted form.
We don’t know if anyone else found the server or how long the data was exposed (I’m guessing since its creation). Angel Marrero, general counsel for MedPharm Services, an affiliate of Meditab that owned the subdomain the server was hosted on, said the company “will comply with any and all required notifications under current federal and state laws and regulations, as applicable.”