9 Unsecured Medical Databases Found Leaking Sensitive Patient Data

Posted on: Wednesday, October 23, 2019 By: KorchekStaff

WizCase discovered a trove of unsecured medical databases from various global companies leaking sensitive data from millions of patients, including Social Security numbers and health data.

Researchers from WizCase recently discovered nine separate, unsecured medical websites leaking sensitive data from millions of patients around the world, including health information, Social Security numbers, and other sensitive data.

The security team from WizCase, led by Avishai Efrat, discovered the misconfigured websites, using tools openly available to the public. The team works to help companies secure their data. Each of the databases examined in the report were unsecured and did not require a password to be accessed, which left the data of millions of patients vulnerable.

All of the companies were contacted, as well as the hosting provider and some local authorities. However, not all databases were secured at the time the report was published. The researchers said they published their findings in hopes these companies move to secure the patient data.

First examined by DataBreaches.net, two of the nine misconfigured databases were owned by US healthcare companies: Jintel Health, or DeepThink Health, and VScript.

In the case of VScript, a US pharmacy software firm, WizCase found an open Elasticsearch server containing 81 MB of data, or about 800 files, and an open GoogleAPI bucket with thousands of images of prescription bottles and medicine bottles.

The data related to customers of pharmacies that use VScript and also included multiple entries of payment transactions from clients purchasing medical items, including full names, masked credit cards, and prescriptions.

The VScript GoogleAPI bucket was found within the Elasticsearch database, which researchers explained meant anyone who discovered the database could access the bucket contents without restrictions, including thousands of pictures of prescriptions, medicine bottles, names, contact details, and dates of birth.

“Information about different pharmacies’ internal documentation of prescriptions and medicine bottles has been exposed, assisting potential medical document fraud,” researchers explained.

DeepThink Health is a precision intelligence platform that captures and structures large clinical and genomic datasets to be analyzed for precision medicine purposes. The researchers discovered an Elasticsearch database containing 2.7 GB of patient data, or 700,000 records.

An analysis determined the database contained three main types of data: medical observations about unnamed patients under the context of cancer, gender, and age group, cancer treatment information including prescription drug lists and treatment types, and other details that appeared to be focused on medical personnel rather than the patients, including names and contact details.

“Detailed cancer treatment and medical observations, even though anonymous, could potentially be used for blackmail if more data elsewhere in the system was revealed and correlated with the exposed entries from this leak,” researchers noted.

WizCase also found exposed databases from Brazil-based CadClin from BioSoft, Canada’s ClearDent, France-based Essilor, Nigeria’s Naiis, Stella Prism by Stella Technology in Saudi Arabia, Tsinghua University Clinical Medical College in China, and China’s Sichuan Lianhao Technology Group.

Those databases contained “prescriptions, medical observations, lab visits, Social Security Numbers, and in many cases, full names and addresses,” according to the report.

“Technology is moving at a fast pace and the security systems don’t seem like they can keep up,” the report authors wrote. “This is especially troubling when dealing with a company that is supposed to protect sensitive user data.”

“The health industry is no exception, as companies share data with third-party providers around the world,” they added. “We found several leaks that seriously raise questions regarding how our medical data is handled and secured in this technological era.”

In some cases, the data was held third-party companies that provide data management and may not understand the possible implications for handling sensitive data online. The researchers noted that some patients may not even know these companies hold their personal information.

To researchers, there’s a lot at stake. For one, the ClearDent database contained a ransom note, which hackers often use automatically to attack open databases. It could mean the database has already been accessed by unauthorized individuals.

Further, exposed databases also pose a risk for identity theft, phone scams, blackmail, fraud, and phishing attempts against those individuals found in the databases.

Unfortunately, medical database leaks have become increasingly common. In September, IntSights researchers found one-third of healthcare databases stored locally and in the cloud are currently exposing sensitive patient data. A year earlier, the researchers found similar findings.

This summer, several researchers found other healthcare-related companies leaking the data of thousands of patients, some breaches lasting for several years without being detected. Currently, Sen. Mark Warner, D-Virginia, is investigating imaging firm TridentUSA and its affiliate MobileXUSA, after a ProPublica report revealed the imaging firm left millions of medical records and patient data exposed online.