Share this article on:
The sensitive health information of millions of patients has been exposed over the internet as a result of the failure of nine companies to secure their medical databases.
The exposed patient data was discovered by security researchers at WizeCase. The research team, led by Avishai Efrat, used publicly available tools to search for exposed data that could be accessed without the need for any usernames or passwords. The firm then offers to help those organizations fix their data leaks and better secure their data.
In all cases, the researchers attempted to contact the healthcare organizations concerned to advise them about the misconfigured databases to allow steps to be taken to secure the data and prevent unauthorized access, but in several cases no response was received.
The researchers contacted databreaches.net and received assistance in contacting the companies concerned. When no response was received, the researchers contacted local authorities and hosting companies for assistance. Several attempts were made to get the data secured over the space of a month before the decision was taken to go public and name the companies concerned to spur them into taking action.
The databases belonged to healthcare organizations in Brazil, Canada, France, Nigeria, Saudi Arabia, two in China, and two in the United States. Seven of the nine exposed databases were on public facing Elasticsearch servers and two were misconfigured MongoDB databases.
The databases contained a range of sensitive information including names, addresses, contact telephone numbers, email addresses, dates of birth, tax ID numbers, insurance details, employer details, occupations, diagnoses, details of medical complaints, prescription information, HIV test results, pregnancy status, lab test results, Social Security numbers, and other types of personal and health information.
The two U.S. databases belonged to DeepThink Health – formerly Jintel Health – and VScript. DeepThink Health has developed a precision intelligence platform that captures and structures clinical and genomic datasets and analyzes the data to enable precision medicine. The 2.7GB Elasticsearch database contacted approximately 700,000 records. Those records contained the names and contact information of medical personnel, medical observations including details of the stages and types of cancers of patients, and cancer treatment information.
VScript is a pharmacy software firm. The researchers found an Elasticsearch server hosting 81MB of data of around 800 patients and a GoogleAPI bucket containing thousands of images of prescriptions along with the names, contact information, and dates of birth of the patients who had received them.
VScript was one of the companies that did not respond to either WizeCase or databreaches.net emails and phone calls. Databreaches.net also reached out to Google about the exposed data, but the data remained accessible even after Google had made contact. Databreaches.net notes that it is unclear whether the data belonged to VScript. The database may have been the responsibility of one of its vendors.
The other databases were owned by BioSoft in Brazil, ClearDent in Canada, the Nigeria HIV/AIDS Indicator and Impact Survey (NAIIS), Stella Prism in Saudi Arabia, Tsinghua University Clinical Medical College and Sichuan Lianhao Technology Group Co., Ltd in China, and Essibox, the French division of the international ophthalmic optics group Essilor.
“Technology is moving at a fast pace and the security systems don’t seem like they can keep up. This is especially troubling when dealing with a company that is supposed to protect sensitive user data,” explained WizeCase in a recent blog post. “Since some of these databases were created and maintained by third party companies, it is possible that the patients concerned are unaware that their data is being held and used by these companies.”
The exposure of sensitive medical data places patients at risk of blackmail, identity theft, and fraud, but many may never learn that their sensitive information has been exposed. The WizeCase researchers may not be the only individuals to have discovered the databases. It is possible that multiple individuals have stolen the databases and are using them for nefarious purposes.