5 Million Records Exposed Due to Unsecured MongoDB Marketing Database

A MongoDB database containing the personal records of around 5 million individuals has been left exposed on the internet.

The database contained personal information and health data and belonged to MedicareSupplement.com, a website run by TZ Insurance Solutions which helps individuals find a Medigap insurance plan. Individuals looking for coverage can visit the website to find out more about suitable health plans and can obtain quotes by filling out an online form and entering their personal information.

Researchers from Compariteh and security researcher Bob Diachenko discovered the database on May 13, 2019. The marketing database contains information such as name, address, telephone number, email address, IP address, date of birth, gender, and information relating to health, life, auto, and supplemental insurance.  Around 239,000 records included the area of insurance interest.

It is unclear for how long the database was exposed, but it was indexed by the search engine BinaryEdge on May 10, 2019.

The researchers reported the breach to MedicareSupplement.com but no response was received, although the database has now been secured and is no longer accessible.

As a result of the lack of authentication controls it would have been possible for a hacker to delete or alter data or install malware on the system.

Summa Health Patients Notified of Data Breach

An unauthorized individual has gained access to the email accounts of several employees of the Akron, OH hospital system Summa Health and potentially viewed or copied patient information.

The email accounts were discovered to have been compromised on May 1, 2019. The Summa Health investigation confirmed that two employee email accounts had been compromised in August 2018, with a further two accounts compromised on March 11 and March 29 as a result of employees responding to phishing emails.

Summa Health hired a leading computer forensics firm to investigate the breach. The company confirmed that the accounts had been accessed and PHI had potentially been viewed. No evidence was uncovered to suggest any patient information was viewed or stolen, but the possibility could not be ruled out.

For the majority of patients, the types of information that were exposed were limited to names, dates of birth, patient account numbers, medical record numbers, and some clinical and treatment information. A small subset of patients also had their Social Security number or driver’s license number exposed.

Summa Health will be implementing additional security measures to prevent further email security breaches and staff will be provided with additional training on privacy and security.

Summa Health has not confirmed how many patients were affected other than saying the breach impacted more than 500 individuals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.