Patient PHI Discovered to be Freely Accessible

WizCase is a company that has years of experience testing and evaluating cybersecurity tools and products. Recently, WizCase researchers discovered significant database leaks from a number of websites around the globe. Patient PHI was discovered to readily available.

What Patient PHI was Leaked?

The information that was leaked consists of protected health information (PHI) in the form of (among other items):

• Prescriptions
• Medical observations
• Lab visits 
• Social Security numbers
• Full names and addresses
• Tax ID numbers
• Insurance details
• Employer details
• Occupations
• Diagnoses
• Details of medical complaints 
• HIV test results
• Pregnancy status
• Lab test results

Ironically enough, WizCase found the various databases (9 databases overall) in the context of WizCase’s conducting research to help companies to secure their data. The nine databases were found to be unsecured. In addition, none of the databases required a password to be accessed.

Even more frightening: After the research team used publicly available tools to search for exposed data that could be accessed without the need for a username or password, the research team contacted the database owners (all of whom are healthcare organizations), offering to help these organizations to both fix the data leaks and improve data security. 

When the researchers first attempted to contact the healthcare organizations, several did not bother to respond. The researchers then consulted a data breach reporting website and received assistance in contacting the healthcare organizations. When the researchers then attempted to contact the healthcare organizations, the healthcare organizations still refused to respond. Finally, Wizcase went public, naming the companies concerned in the hope the  companies would take action.  

One of the companies – a pharmacy software firm – still has refused to respond to WizCase emails and phone calls. The researchers found that this company’s Elasticsearch unsecured, not-password-protected server hosted 81MB of data of around 800 patients, as well as a GoogleAPI bucket containing thousands of images of prescriptions along with the names, contact information, and dates of birth of the patients who had received them.

The nine affected databases were found in healthcare organizations located in databases belonging to healthcare organizations in Brazil, Canada, France, Nigeria, Saudi Arabia, two in China, and two in the United States. 

Seven of the nine exposed databases were on public facing Elasticsearch servers. The other were two misconfigured MongoDB databases.

The public exposure of this sensitive medical data places patients at significant risk of blackmail, identity theft, and fraud. Equally significant, patients may never find out that their sensitive information has been exposed: entities other than WizCase may also have discovered the databases. These other entities may have stolen the PHI from the databases for illegal purposes.