A failure to protect online data has resulted in the exposure of approximately 200,000 protected health information records from Arkansas-based practice cloud management software provider Medevole LLC.

The data breach involved Medevole leaving a backup database of customer data from Premier Immediate Medical Care LLC, a healthcare provider with outlets in Pennsylvania and Delaware, on an FTP server without password protection — or as Medevole described it, the file was “inadvertently accessible to the internet.”

A subsequent investigation by the company found that a file had been “subject to unauthorized access on March 29, 2018” and that the information within the file was subsequently posted online. But it doesn’t say whether the data had been stolen for nefarious purposes. The reference could possibly refer to a report from Databreaches.net May 16, which not only detailed the data exposure but also included a screenshot of information contained within the exposed database.

The data exposed included patient names, billing address, telephone number, the identification of patient’s primary health insurer and the Social Security numbers for some of the individuals. But it didn’t include any clinical information such as treatment or diagnosis or any financial information such as methods of payment.

MedEvolve said that it has shut down access to the file and hired a third-party forensic investigator to conduct an exhaustive investigation of this matter. It’s also working to implement additional safeguards and security measures to enhance the privacy and security of information in its systems.

Scott Schneider, chief revenue officer at CyberGRX Inc., told SiliconANGLE that healthcare providers need to understand that the growing reliance upon and interconnectivity with third parties, while critical to run their practices, poses significant risk.

“Patients trust their healthcare providers with incredibly personal and sensitive data, and a breach of data is also a breach of that trust,” Schneider said. “The information security posture of third parties, including all solution providers, must be measured, monitored and viewed as part of their extended ecosystem of responsibility.”

Image: Medevole