Medical transcription provider MEDantex has reportedly exposed the protected health information of thousands of patients through its unsecured provider portal, which did not require a password for access.
According to reports, including KrebsOnSecurity, the patients’ audio medical notes were uploaded to MEDantex’s website, which were then to be transcribed and uploaded to a portal accessible to the medical providers. In order to access the transcribed notes, the provider is supposed to enter a password. Krebs has reported that he found certain portions of the website did not contain password authentication controls, thereby allowing anyone who visited the website to review patient data contained on the site and download it. Further, tools could be used by unauthorized users to add and remove authorized users, search for specific patients by physician name, and find patient information by the patient’s name.
The problem apparently occurred when MEDantex rebuilt the site after it was the victim of a ransomware attack. During the rebuild, the password protection was removed.