Medical Software Database Exposes Personal Data of 3.1M Patients
Researcher Bob Diachenko discovered a database owned by a medical software company leaking the personal details of over 3.1 million patients, which was later deleted and potentially stolen.
By - A medical software company’s database containing the personal information of more than 3.1 million patients was left exposed online without the need for a password or other authorization, according to security researcher Bob Diachenko.
The leaky database appears to be owned by vendor Adit, a developer of online booking and patient management software for at medical and dental practices. The search engine BinaryEdge indexed the unsecured database on July 12, which was discovered by Diachenko the following day.
Diachenko immediately investigated and reached out to Adit with his findings. However, the company did not return emailed attempts.
The database contained full patient names, email addresses, contact information, marital statuses, sex, and practice names: all of which can be used by cybercriminals in targeted phishing attempts to gain more information for later fraud or to scam patients.
What’s more concerning is that the data was destroyed 10 days later on July 22 and could have potentially been stolen by a malicious bot known as “meow bot.”
“The 'meow bot' has attacked hundreds of unprotected databases in recent weeks. But unlike other malicious bots that find and delete exposed data, it doesn’t ask for a ransom, which has led some to believe the bot is actually benevolent and aims to protect data subjects’ information,” Diachenko explained.
“It’s identical to another attack we witnessed a week earlier against UFO VPN, illustrating meow bot’s prevalence and ability to find and attack unsecured databases,” he added.
It’s unclear if anyone else accessed the data, but there’s a strong possibility as previous research showed unsecured and misconfigured databases can be breached in just eight hours. While no medical records were contained in the database, the information still poses a risk for medical fraud as data shows information stolen in healthcare breaches increases the risk of fraud by 70 percent.
Misconfigured databases are a prevelant problem in the healthcare sector, with about one-third of healthcare databases currently exposing sensitive patient data, according to IntSights.
This month has already seen several massive database leaks involving healthcare-related data.
The vpnMentor cybersecurity research team recently revealed it discovered an unsecured Amazon S3 bucket with 343GB of data and more than 5.5 million files in December 2019. The database is still unclaimed but appears to belong to InMotionNow, a creative project management software vendor. However, the company did not respond to their repeated requests.
The database contained information for a host of companies, including Performance Health and Myriad Genetics and involved analytics reports, internal presentations, client requests, business intelligence, and mailing list with relevant personally identifiable information, among other sensitive details.
Meanwhile, DataBreaches.net recently reported that another researcher discovered a misconfigured Amazon S3 storage bucket, leaking over 60,000 patient records with protected health information tied to the BioTel cardiac data network. The database had recently been updated.
The database stored scanned faxes regarding requests for medical records during patient referrals. In particular, the faxes contained requests for more information from patients whose insurance claims reimbursements were denied. The requests appeared to be handled by SplashRx/HealthSplash.
VpnMentor researchers stressed that the breach could have been avoided with basic security measures that include improved server security, the implementation of proper access rules, and checking to ensure a system is not left without proper authentication requirements.
Further, administrators should ensure the bucket remains private with added authentication protocols and layers of protection to further restrict data access from each entry point.
“Any company can replicate the same steps, no matter its size,” researchers wrote. “Open, publicly viewable S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.”
