Skip to content

Expanded Notification of Prior Data Security Incident   

As a result of our cooperation with the U.S. Department of Health and Human Services over the past two years, MedEvolve, a provider of practice management software to physician practices, is providing notice of a previous data security incident to patients of a former customer, Beverly L. Held, MD (“Dr. Held”) a dermatologist in Corpus Christi, Texas.

What Happened? On or about May 4, 2018, MedEvolve discovered that an FTP server containing a file with information related to certain patients of Dr. Held was inadvertently accessible to the internet. Upon discovery, MedEvolve immediately secured the server, then launched an investigation with the help of third-party digital forensic experts, to determine the contents of the file and whether the file was subject to unauthorized access.  Following the conclusion of the investigation, MedEvolve determined that although the file could have been accessed via the internet until May 4, 2018, the file was undecipherable without entering it into MedEvolve’s proprietary software.

Based on the results of our third-party investigation, MedEvolve concluded at that time there was a low probability of compromise and risk to the data, which is why notification was not made earlier.  However, in consultation and in compliance with recent instructions from the U.S. Department of Health and Human Services, MedEvolve is providing notice to the affected individuals at this time.  There is no evidence that anyone’s personal information has been misused as a result of this incident. 

What Information Was Involved? The file that was inadvertently accessible contained a combination of names, billing addresses, telephone numbers, primary health insurer and doctor’s office account numbers and in some instances, Social Security numbers, relating to certain patients of Dr. Held. The file did not contain any clinical information, such as treatment or diagnosis, nor any financial information, such as methods of payment.  This file was stored in MedEvolve’s proprietary format with non-printable/non-readable characters within the file that acted to ensure the file could not be printed or used outside of its intended use without access to MedEvolve’s system.  As such, MedEvolve determined that this information was undecipherable and unusable to any unauthorized viewer.

 What Are We Doing? We take the security of information entrusted to us very seriously. Upon discovery, we immediately secured the portal in question and took steps to prevent further access. We also hired a third-party forensic expert to conduct an exhaustive investigation of this matter. As part of our ongoing commitment to the security of personal information in our care, we implemented additional safeguards and took additional steps to enhance the privacy and security of information in our systems. In addition to providing affected individual’s notice, we are providing notice to the U.S. Department of Health and Human Services, relevant media outlets, and state regulators if required.

MedEvolve also retained NortonLifeLock to provide two (2) years of complimentary LifeLock Defender™ Preferred identity theft protection to affected individuals.  We encourage all affected individuals to remain vigilant and to regularly review and monitor relevant account statements and credit reports and report suspected incidents of identity theft to local law enforcement, your state’s Attorney General, or the Federal Trade Commission (the “FTC”).

For More Information. If you have questions about this notice, or believe you may have been impacted and did not receive notice in the mail, you can reach us at privacy_questions@medevolve.com.