Millions of Patients’ Sensitive Data Were Publicly Accessible Online

Because nine companies failed to keep their medical databases secure, the sensitive health information of millions of patients were exposed online.

The security researchers at WizeCase discovered the exposed patient information. The research team, under the leadership of Avishai Efrat, looked for exposed information that are accessible without requiring any usernames or passwords using freely available tools. The company then makes an offer to those whom they found to have exposed information to fix their data leaks and secure their information.

In all instances, the researchers tried to get in touch with the healthcare organizations involved to notify them regarding the misconfigured databases to let them take steps to secure the information and stop unauthorized access, however in a number of cases they receive no response.

The researchers got in touch with databreaches.net and got support in contacting the firms involved. If there is no response, the researchers got in touch with hosting companies and local authorities for guidance. Numerous efforts were made to secure the data in a span of one month before deciding to go public and identify the companies involved to prompt them to action.

The exposed databases were from healthcare companies in Brazil, France, Canada, Saudi Arabia, Nigeria, two in China and in the U.S. Of the nine exposed databases, seven were open facing Elasticsearch servers while two were MongoDB databases that were misconfigured.

The databases had a variety of sensitive information such as names, contact phone numbers, addresses, email addresses, birth dates, tax ID numbers, Social Security numbers, insurance information, employer information, occupations, diagnoses, information of health complaints, prescription data, HIV test findings, pregnancy test results, laboratory test results, and other types of private and health data.

The two U.S. databases were owned by DeepThink Health (previously called Jintel Health) and VScript. DeepThink Health has created an accurate intelligence platform that records and structures medical and genomic datasets and assesses the information to permit precision medication. The 2.7GB Elasticsearch database had roughly 700,000 data. Those data included the names and contact details of medical staff, medical findings such as specifics of the types and stages of cancers that patients have, and cancer treatment details.

VScript is actually a pharmacy software company. The WizeCase researchers discovered an Elasticsearch server that hosted 81MB of data of about 800 patients as well as a GoogleAPI bucket that contains thousands of pictures of prescription medications together with the names, contact details, and birth dates of the patients that received the medications.

VScript was one company that failed to respond to WizeCase and the databreaches.net email messages and telephone calls. Databreaches.net likewise contacted Google regarding the exposed information, however, the information stayed accessible even after Google’s advice. Databreaches.net remarks that it is uncertain if the data was VScript’s. The database might have been one of its vendor’s responsibility.

The other databases belonged to ClearDent in Canada, BioSoft in Brazil, Stella Prism in Saudi Arabia, the Nigeria HIV/AIDS Indicator and Impact Survey (NAIIS), Sichuan Lianhao Technology Group Co., Ltd and Tsinghua University Clinical Medical College in China, and the French department of the international ophthalmic optics group Essilor, Essibox.

Because a number of these databases were made and managed by third party firms, it is likely that the concerned patients are uninformed that their data were held and utilized by these firms.

The compromise of sensitive health data puts patients in danger of blackmail, fraud and identity theft, however, plenty of people may never find out that their sensitive data were exposed. People other than the researchers at WizeCase may have also found the databases. It is likely that numerous people have ripped off the databases and are making use of the information for criminal purposes.