An unsecured Elasticsearch database containing the personally identifiable information of approximately 137,000 people has been exposed over the Internet.
The database was discovered by security researcher Jeremiah Fowler, who determined that the data belonged to the medical emergency evacuation service provider SkyMed. Fowler discovered the security settings for the database had not been correctly configured and the database could be opened using any browser without any authentication controls. Unauthenticated users could view, edit, or download the database.
Fowler identified 136,995 individual records in the database that included information such as names, addresses, phone numbers, email addresses, and dates of birth. Some records also contained medical information.
Fowler also noticed an entry in the database called “howtogetmydataback”, which suggests that SkyMed may have been a victim of a ransomware attack in the past.
Fowler discovered the exposed database on March 27 and alerted SkyMed the same day. No response was received to acknowledge the email, but Fowler confirmed on April 5th that the database had been secured and was no longer accessible to the public.
It is unclear whether, as a provider of travel services for medical emergencies, SkyMed is a HIPAA-covered entity and is therefore required to notify its subscribers in the event of the discovery that their personal information has been subjected to unauthorized access. It is also unclear whether any notifications have been sent in order to comply with data breach notification laws in Florida.