5 Million-Records Breach of MedicareSupplement.com and Summa Health Data Breach

The personal data of approximately 5 million people contained in a MongoDB database were exposed on the web. MedicareSupplement.com owns the database containing personal and health data. TZ Insurance Solutions operates the website and use it for helping people look for a Medigap insurance plan. People in search of coverage could go to the website to learn more information about ideal health plans and could get quotes by completing an online form and inputting their personal data.

Security researcher Bob Diachenko and researchers from Compariteh identified the exposed database on May 13, 2019. The MedicareSupplement.com database includes data like name, address, email address, phone number, IP address, birth date, gender, and data about health, lifestyle, car, and supplemental insurance plan. It includes about 239,000 records about the area of insurance interest.

The length of the exposure of the database is uncertain. However, the BinaryEdge search engine indexed the database on May 10, 2019. The researchers notified MedicareSupplement.com about the breach but there was no response. But the database is now secure and not accessible anymore. The absence of authentication controls could have allowed a hacker to erase or modify information or install malware in the system.

Another breach at Summa Health in Akron, OH was discovered due to the unauthorized access of the email accounts of a few of its employees and the potential viewing and copying of patient data.

The email accounts compromise was discovered on May 1, 2019. The Summa Health investigators confirmed the compromise of two employee email accounts in August 2018, and two more accounts in March 11 and March 29 because the employees responded to phishing emails.

Summa Health retained the services of a top computer forensics company to look into the breach. The company affirmed the access of the accounts and potential viewing of protected health information (PHI). There was no evidence found that suggest the viewing or stealing of any patient information. But the likelihood of such cannot be ruled out with certainty.

For most patients, the exposed types of information included names, birth dates, patient account numbers, health record numbers, and certain clinical and treatment data. The Social Security number or driver’s license number of a small number of patients were also exposed.

Summa Health is going to implement additional security controls to stop other email security breaches. Additional staff training will also be given concerning privacy and security. It is not known yet for certain how many Summa Health patients were affected by this breach, which is said to have impacted over 500 people.