Database of New Jersey Healthcare Provider Found to be Leaking Patient Data
Another unsecured healthcare database has been discovered which contains an estimated 37,000 records.
The discovery was made on March 1, 2019 by security researcher Jeremiah Fowler. A brief analysis of the database appeared to show the records belonged to the New Jersey healthcare provider, Home Health Radiology Services LLC. The database contained highly sensitive patient information such as names, addresses, phone numbers, and dates of birth along with medical notes, diagnoses, treatment information, insurance information, and in some cases, Social Security numbers.
In a recent blog post on securitydiscovery.com, Fowler explained that 37,000 case files were found along with 1,540 doctor’s information records, chat logs, emails, support tickets, and many other sensitive files.
The records were mostly contained in an Elastic database which could be accessed over the internet by anyone without the need for any authentication.
The unsecured database was reported to Home Health Radiology Services, which promptly secured the database to prevent any further unauthorized access. It is currently unclear how long the database was accessible over the internet and whether anyone other than Fowler viewed the data.
The incident is one of many similar breaches that have occurred as a result of protections being removed from servers and databases. Also this week, a fax server used by Sacramento, CA-based medical software provider Meditab Software Inc., was discovered to have had protections removed which allowed healthcare faxes to be viewed in real time over the internet. More than 6 million records were reportedly housed on the server.
In February, almost 1 million records of UW medicine were discovered to have been exposed over the internet due to a database misconfiguration.
These incidents highlight the importance of putting policies and procedures in place to ensure that all servers and databases used storing patient health information are checked to ensure they have protections in place to prevent unauthorized data access, especially after any software upgrades have been performed or patches have been applied.
These are not just isolated incidents. In late 2018, a study by the enterprise threat management platform provider Intsights suggested as many as 30% of healthcare databases have been exposed online.