HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Medical Software Database Containing Personal Information of 3.1 Million Patients Exposed Online

A database containing the personal information of more than 3.1 million patients has been exposed online and was subsequently deleted by the Meow bot.

Security researcher Volodymyr ‘Bob’ Diachenko discovered the database on July 13, 2020. The database required no password to access and contained information such as patients’ names, email addresses, phone numbers, and treatment locations. Diachenko set about trying to identify the owner of the database and found it had been created by a medical software company called Adit, which makes online booking and patient management software for medical and dental practices. Diachenko contacted Adit to alert the company to the exposed database but received no response. A few days later, Diachenko discovered the data had been attacked by the Meow bot.

The Meow bot appeared in late July and scans the internet for exposed databases. Security researchers such as Diachenko conduct scans to identify exposed data and then make contact with the data owners to try to get the data secured. The role of the Meow bot is search and destroy. When exposed database are found, the Meow bot’s script overwrites the data with random numerical strings, appended with the word “meow”.

The individual or group behind the Meow bot is unknown, nor the motives behind the attacks, of which there have been hundreds. Many threat actors search for exposed cloud databases and steal or encrypt data and issue a ransom demand, but there appears to be no financial motive behind the Meow bot attacks.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

It is not entirely clear whether data is stolen prior to being overwritten, but several security researchers have suggested data theft is not the aim, instead the purpose may be to prevent the information of data subjects from being obtained by cybercriminals and/or to send a message to data holders that the failure to secure data will result in data being destroyed.

The deletion of the database may have prevented the data from falling into the hands of cybercriminals, but a previous study conducted by Comparitech showed malicious actors are constantly searching for exposed data and often find exposed Elasticsearch databases and Amazon S3 buckets within hours of them being exposed. Since the database was exposed for at least 10 days before the search and destroy Meow bot attack, it is probable that it was found and obtained prior to its destruction; potentially by multiple parties.

In this case, the personal data was limited, but that information could still be of use to cybercriminals for phishing campaigns.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.