Meditab Software suffers data breach impacting its clients

• The data breach stemmed from an issue in the portal that allowed Meditab to view statistics for its Fax Cloud services.
• This incident has exposed CCA and SMMG patients’ personal information including names, addresses, dates of birth, phone numbers, medical records, visit notes, diagnosis, and treatment.

Medical records and patient information belonging to Capitol Cardiology Associates (CCA) and Southern Maryland Medical Group (SMMG) have been impacted after a third-party vendor Meditab Software suffered a data breach.

What happened?

Meditab Software suffered a data breach between January 10, 2019, and March 14, 2019. The incident stemmed with an issue in the portal that allowed Meditab to view statistics for its Fax Cloud services.

Upon discovery, Meditab conducted an investigation and found out that just under 5% of fax images sent through the Fax Cloud service could have been potentially accessed through the portal.

Meditab also notified Capitol Cardiology Associates and Southern Mayland Medical Group about the incident.

“This analytics platform maintained statistics on all faxes sent but did not have any images directly on the server. However, as the fax was being transmitted, a link to the fax image on a separate and secure server was temporarily available until the fax sent confirmation was received. Once the fax was sent, this link was no longer active. This portal was intended for Meditab use, only, and initially was deployed with username/password authentication in place. However, on January 9, 2019, this authentication was removed without authorization by one of Meditab’s programmers,” Meditab said in the notification.

What was exposed?

This incident has exposed CCA and SMMG patients’ personal information including names, addresses, dates of birth, phone numbers, medical records, visit notes, diagnosis, and treatment.

The response

Both CCA and SMMG are currently notifying the potentially affected patients as well as the three major credit bureaus and the Maryland Office of the Attorney General about the incident.