Misconfigured fax server exposes thousands of doctors’ notes, medical records and more

• The leaky server, which ran an ElasticSearch database, was left open to the public on the internet without any password protection.
• The ElasticSearch database contained over six million records since March 2018.

In a new incident of data leaks, security researchers have unearthed an unprotected fax server leaking thousands of doctor’s notes, medical records and prescriptions. The leaky server, which ran an ElasticSearch database, was left open to the public on the internet without any password protection.

What is the matter - SpiderSilk, a Dubai-based cybersecurity firm, told TechCrunch that a security lapse in the fax server was exposing the data related to doctors and medical firms daily. The misconfigured server was running an ElasticSearch database which contained over six million records since March 2018. It is believed that the server belongs to a California-based software company, Meditab. Meditab processes electronic faxes for healthcare providers. It also provides electronic medical records software for several hospitals, doctors’ offices, and pharmacies.

SpiderSilk found that the fax server that was used for sharing patient files between the providers and pharmacies, was poorly secured. As the server had no password, anyone could read the transmitted faxes, including the content, in real-time.

What data has been exposed - The transmitted faxes contained a host of personally identifiable information and health information. They also included medical records, doctors’ notes, prescription amounts & quantities, illness information such as blood test results. The PII included names, addresses, dates of birth and in some cases Social Security numbers and health insurance information and payment data.

The personal data health information on children were also part of the exposed transmitted faxes. None of the data was encrypted.

What has been done until now - Kalpesh Patel, founder of Meditab, has been informed about the issue. The firm is looking into the matter.

Meanwhile, the company’s general counsel, Angel Marrero has said, “We are still reviewing our logs and records to access the scope of any potential exposure. We are still reviewing our logs and records to access the scope of any potential exposure.”