MedEvolve data breach exposed information of 200,000 urgent care patients

Data breach
Information of 200,000 urgent care patients may have been exposed in a data breach. (tashka2000/Getty)

MedEvolve, an Arkansas-based practice management software provider, revealed a healthcare data breach exposed the information of more than 200,000 patients.

In a July 10 release, MedEvolve, which provides practice management software to physicians and health facilities, said it is notifying Premier patients that their personal information may have been exposed in the breach.

Specifically, the breach may have impacted more than 200,000 current and former patients of Premier Immediate Medical Care, a Pennsylvania-based company that is a customer of MedEvolve and operates a network of urgent care facilities in the U.S.

​​​​​​RELATED: Number of patient records compromised by data breaches dropped 80% in 2017


Employer-Based Insurance: Top Priorities for 2019

Join Blue Health Intelligence (BHI) and Midwest Business Group on Health (MBGH) to hear how key descriptive, predictive and prescriptive analytics capabilities can drive new cost and quality insights for health plans, employers and benefit consultants.
A file left accessible on a MedEvolve FTP server contained patients’ names, billing addresses, telephone numbers, the identification of primary health insurers and the Social Security numbers for some of the individuals, the company said. The file did not contain any clinical information such as treatment or diagnosis or any financial information such as methods of payment. 

MedEvolve said it discovered on or about May 11 that an FTP server containing a file with information about Premier patients was inadvertently accessible on the internet. The company said the file was placed on the server as part of an isolated data transfer event.

RELATED: Unintended disclosure accounts for a big chunk of data breaches in 2017, and spear phishing is on the rise

An investigation determined that the file was accessible on the internet from March 29 to May 4 and that one file was subject to unauthorized access on March 29.

MedEvolve said it is mailing letters to impacted patients and will provide them with two years of credit monitoring. The company said it is also informing the Department of Health and Human Services of the breach, as well as required state regulators.

While healthcare data breaches continued to climb in 2017, the number of affected patient records declined 80% last year as the industry managed to avoid a large-scale attack.