Security researchers at Wizecase have discovered 9 medical databases containing millions of patient records that could be freely accessed over the internet without any authentication to restrict access to authorized individuals.
The researchers conducted a search for unsecured databases using tools that are freely available to the public. The unsecured databases they found could be accessed by anyone with an internet connection that cared to look. Highly sensitive information was contained in the databases including names and contact information along with tax ID numbers, Social Security numbers, employment information, diagnoses, treatment information, HIV test results, and other health data.
The databases belonged to healthcare organizations/business associates based in 7 countries, including the United States. Two misconfigured MongoDB databases were identified along with 7 exposed Elasticsearch databases.
The exposed data in the United States appeared to belong to the precision intelligence platform provider DeekThink Health, formerly called Jintel Health, and the pharmacy software firm VScript. The DeepThink database contained 2.7GB of data and around 700,000 patient records including highly sensitive information about cancer patients, such as the type, stage, medical observations, and their treatment program. The VScript database contained 81MB of data on around 800 patients and there was also an exposed GoogleAPI bucket containing thousands of photographs of prescriptions that included patients’ contact information.
The other databases were owned by companies in Brazil, Canada, China, France, Nigeria, and Saudi Arabia and contained millions of records that included sensitive personal and health information.
The researchers contacted all companies concerned to advise them of the data leaks, although some did not respond and their databases remained open, hence the decision to go public to try to spur the companies concerned into taking action to secure their data.
“Technology is moving at a fast pace and the security systems don’t seem like they can keep up. This is especially troubling when dealing with a company that is supposed to protect sensitive user data,” said the researchers.
The latest discovery is alarming in terms of the number of databases that were discovered, but this is not an uncommon occurrence. Over the past two years, dozens of misconfigured MongoDB databases and Elasticsearch databases have been discovered by security researchers.
There are many advantages to storing PHI in the cloud rather than on-premise hardware and the cloud can be perfectly secure; however, healthcare organizations must ensure that robust policies and procedures are implemented covering cloud data storage and that checks are regularly performed to ensure their cloud resources are not left unprotected. Security researchers are looking for unsecured databases but so too are cybercriminals.