Medical Billing Operator Leaks Customer Data
It is no secret that In the lucrative world of healthcare, medical billing records are the most valuable and targeted data by cyber criminals. Keeping medical data and hospital networks safe from unauthorized access is one of the biggest security threats facing the industry.
In the beginning of June, the Kromtech Security Research Center has discovered a database that appears to belong to an Ohio based medical billing provider iMAX. The data was publicly available and contained patient information, login details, and more.
iMAX provides electronic medical billing services and charges between 5% and 7% of the providers net revenue from insurance and patient payments. According to their website “iMAX Medical Billing will turn your Cash Crunch to Cash Flow through: Medical Billing, Electronic Medical Records, Collections, Automatic Checking & Credit Card Payment Processing, Certified Code Review, Credentialing, and Medicare RAC Audit protection services.” They also offer a cloud based data management solutions for Electronic Health Records, Patient Portal, Practice Management, and Clearinghouse.
The leak appears to affect 23 several different doctors offices and includes medical history information, payment data and most importantly - login details to the online medical services, insurance portals and emails.
On June 12th, we have sent notification emails to the iMax persons (whose details were also exposed in the backup) and within couple of hours the IP was secured. Throughout the course of our investigation we have been in touch with Dissent Doe of databreaches.net, you can read her take on the story here:
Data breaches have a lasting impact and it is estimated that they are costing the healthcare industry $6 billion annually. The Ponemon Institute conducted a benchmark study on healthcare privacy and security estimate that the average economic impact of data breaches per organization is $2.1 million. In the US medical data is protected by The Health Insurance Portability and Accountability Act also known as HIPAA. The law broadly applies to health care providers, data processors, pharmacies and other entities that come into contact with medical information. Under federal law, all medical related security incidents need to be reported in the event of a data breach. HIPAA also contains a Security Breach Notification Rule which requires notice of a breach of protected health information. Organizations who fail to disclose or report data breaches put their customers at risk and could potentially be breaking the law. .
Medical billing records insurance information are the top stolen data targets
Medical data is extremely valuable to everyone including criminals. In 2015 the medical billing outsourcing market was valued at $6.3 billion USD and is expected to grow to $16.9 billion USD by 2024 according to a report by Grand View Research. As the market grow so does the reliance for on-demand medical records and cloud based record management. It is also clear that there is no universal standard for medical data security. The patchwork of so many different medical billing providers, using different methods of storage increases the chances that some providers will use little or no cyber security methods to protect medical data. This could potentially leave millions of patient's personal information vulnerable.
It is unclear how long the iMAX data was publicly exposed or who else except security researchers had access. This is yet another warning to any company or service provider that handles and stores personal medical data. Security experts warn that not only should they audit their security processes regularly, but they should also have an incident response process in the event of a data leak. With the wave of ransomware attacks on hospitals, and medical providers it is clear that the healthcare sector is being targeted by cyber criminals.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org