The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Misconfigured University of Chicago Medicine Elasticsearch Instance Exposed More Than 1.68 Million Records

Posted By on Jun 5, 2019

It is certainly a week of massive data breaches. 11.9 million Quest Diagnostics records were exposed, 7.7 million records at LabCorp have potentially been compromised, and now University of Chicago Medicine has discovered more than 1.68 million of its records have been exposed.

The records were stored on a misconfigured Elasticsearch server which had accidentally had protections removed allowing it to be accessed over the internet without the need for any authentication. The misconfiguration allowed a database to be accessed which contained 1,679,993 records of donors and prospective donors.

The exposed database was discovered by Security Discovery researcher Bob Diachenko on May 28. Diachenko had performed a search using the search engine Shodan to identify unsecured databases. Even though awareness has been raised following the discovery of a large number of exposed Elasticsearch instances and other NoSQL databases in recent months, Security Discovery researchers are still identifying between 5 and 10 ‘big cases’ of unsecured databases every month.

The latest find was a sizable cluster containing 34GB of data. The cluster, named data-ucmbsd2, had been indexed by Shodan and could be accessed over the internet by anyone. The database contained a range of information including names, addresses, phone numbers, email addresses, dates of birth, gender, marital status, wealth information and current financial status, and notes about past communications.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Diachenko determined that the data belonged to UC Medicine and sent a notification and the Elasticsearch instance was secured within 48 hours.

UC Medicine has issued a statement confirming a comprehensive forensic investigation was conducted, which determined the database was not subjected to unauthorized access other than by Diachenko. Diachenko confirmed that he only accessed some of the records to determine who they belonged to and did not download the database. Fortunately, the window of opportunity was short. Diachenko discovered the database one day after it had been indexed by Shodan.

Elasticsearch instances should be configured so they are only accessible over an internal network and authentication controls should be implemented to ensure only authorized individuals have access. Misconfigurations not place data at risk of theft, there have also been instances where the lack of authentication has allowed hackers to encrypt databases using ransomware or even totally delete all stored data.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist