Due to the failure of nine companies to secure their medical databases, the sensitive health information of millions of patients has been exposed over the internet.
The exposed patient data was found by security experts at WizeCase. The research team, headed by Avishai Efrat, used publicly available tools to search for exposed data that could be obtained without the need for any usernames or passwords. The firm then provides assistance to those organizations fix their data leaks and better secure their data.
In all instances, the experts tried to contact the healthcare groups concerned to advise them about the incorrectly configured databases to allow steps to be taken to secure the data and stop unauthorized access, but in several cases no reply was received.
The experts got in touch with databreaches.net and received assistance in contacting the companies concerned. When no response was registered, the experts contacted local authorities and hosting companies for assistance. Several efforts were made to get the data secured over the space of a month before the decision was taken to go public and name the companies concerned to spur them into implementing measures.
The databases belonged to healthcare groups in Brazil, Canada, France, Nigeria, Saudi Arabia, two in China, and two in the United States. Seven of the nine exposed databases were on public facing Elasticsearch servers and two were wrongly configured MongoDB databases.
The databases included a range of sensitive information including names, addresses, contact telephone numbers, email addresses, dates of birth, tax ID numbers, insurance details, employer details, occupations, diagnoses, information on medical complaints, prescription information, HIV test results, pregnancy status, laboratory test results, Social Security numbers, and other sorts of personal and health data.
The two U.S. databases owned by DeepThink Health – formerly Jintel Health – and VScript. DeepThink Health has created a precision intelligence platform that captures and structures clinical and genomic datasets and reviews the data to allow precision medicine. The 2.7GB Elasticsearch database got in touch with approximately 700,000 records. Those records included the names and contact information of medical personnel, medical observations including information on the stages and types of cancers of patients, and cancer treatment data.
VScript is a pharmacy software business. The experts found an Elasticsearch server hosting 81MB of data of around 800 patients and a GoogleAPI bucket including thousands of images of prescriptions along with the names, contact details, and dates of birth of the patients who had received them.
VScript was one of the businesses that did not reply to either WizeCase or databreaches.net emails and phone calls. Databreaches.net also contacted Google about the exposed data, but the data remained accessible even after Google had made contact. Databreaches.net said that it is unclear whether the data belonged to VScript. The database may have been the responsibility of one of its vendors.
The other databases were owned by BioSoft in Brazil, ClearDent in Canada, the Nigeria HIV/AIDS Indicator and Impact Survey (NAIIS), Stella Prism in Saudi Arabia, Tsinghua University Clinical Medical College and Sichuan Lianhao Technology Group Co., Ltd in China, and Essibox, the French division of the international ophthalmic optics outfit Essilor.
WizeCase outlined in a recent blog post, “Technology is moving at a fast pace and the security systems don’t seem like they can keep up. This is especially troubling when dealing with a company that is supposed to protect sensitive user data. Since some of these databases were created and maintained by third party companies, it is possible that the patients concerned are unaware that their data is being held and used by these companies.”
The exposure of sensitive medical data places patients in danger of blackmail, identity theft, and fraud, but many may never learn that their sensitive data has been exposed. The WizeCase experts may not be the only people to have found the databases. It is possible that a number of different people have stolen the databases and are using them for nefarious aims.