Feds Hit Vendor With $350K Settlement in FTP Server BreachPractice Management Software Firm's 2018 Incident Affected Nearly 231,000
Federal regulators fined practice management software and services vendor MedEvolve $350,000 in the aftermath of an investigation into a 2018 HIPAA breach that involved a file transfer protocol server mishap. The company said the incident was the result of "a singular human error."
The Department of Health and Human Services' Office for Civil Rights on Tuesday said MedEvolve had agreed to pay the financial settlement and to implement a corrective action plan to resolve potential HIPAA violations. The agency said an unsecured company FTP server had exposed the electronic protected health information of nearly 231,000 individuals.
The incident affected two MedEvolve clients - Premier Immediate Medical Care and the office of Dr. Beverly Held. During its investigation into the incident, the agency said it had found evidence that the PHI for both covered entities was viewed by at least one unauthorized individual during the four months the FTP server was open to the public (see: Health Data Breach Victim Tally for 2018 Soars).
Patient information left exposed in the MedEvolve incident included names, billing addresses, telephone numbers, primary health insurer and doctor's office account numbers, and some Social Security numbers, HHS OCR said.
The agency's investigation into the MedEvolve breach also found potential HIPAA violations, including the Little Rock, Arkansas company's lack of a HIPAA security risk analysis and the failure to enter into a business associate agreement with a subcontractor.
"HIPAA-regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet," said Melanie Fontes Rainer, HHS OCR director, in a statement.
Network servers are the largest category by location for where HIPAA breaches affecting 500 or more individuals occur, HHS OCR said.
MedEvolve in a Tuesday statement said the incident was the result of "a singular human error."
The incident did not involve or have any impact on MedEvolve's technology solutions, the statement said. "The incident was a result of a data file that was inadvertently placed on a FTP server that was separate from our client hosting environment. The server was immediately secured upon discovery of the file, and no malicious use of patient information has ever been detected."
Avoiding FTP Mishaps
Wendell Bobst, senior security consultant at privacy and security consultancy tw-Security, told Information Security Media Group that most of the security incidents he sees involving FTP servers involve weak practices by the operators of the FTP service.
They include the use of generic folders, where one customer can access the files of other customers; passwords that are not changed periodically; the absence of multifactor authentication for all admin functions; and customers failing to notify the FTP service of any change in their personnel with knowledge of the FTP password.
"Stop using FTP and even Secure FTP. Consider using SharePoint/OneDrive or Google Drive, or Dropbox instead," he advised.
Short of stopping the use of FTP services, Bobst recommends entities take steps to ensure customers have individual FTP folders or areas, require that all admin and privilege users use multifactor authentication for all administrative functions, regularly change all admin and service account passwords that are not protected by multifactor authentication, and conduct periodic customer/user access reviews.
"Unfortunately, organizations protecting PHI have many doors they need to monitor. They need to validate all the legitimate people that need to access various rooms," he said. "Regular risk analysis and executive support serve as the foundation for a security officer to continually manage and refine the critical practices for each organization."
As part of its settlement with HHS OCR, MedEvolve also agreed to implement a corrective action plan that includes conducting a risk analysis, developing and implementing a risk management program, and providing augmented HIPAA training to its workforce.