Medical Data Exposed via Unsecured Databases Impacts Healthcare Companies Globally

• The unsecured databases belong to 9 different medical companies including Biosoft, ClearDent, DeepThink Health, Essilor, Naiis, Stella Technology, Tsinghua University, VScript, and Sichuan Lianhao Technology.
• The exposed data includes patients’ personal information, contact information, prescriptions, treatment information, medical observations, and other sensitive medical information.

What is the issue?

Security researchers from Wizcase have uncovered unsecured databases from nine different medical companies across the world. These open databases exposed sensitive patient data including prescriptions, diagnosis, and Social Security numbers.

Below is the list of the aforementioned medical data breaches.

Unprotected Elasticsearch server from Biosoft

An unprotected Elasticsearch server and a Kibana interface belonging to medical software company Biosoft in Brazil have exposed almost 1185000 records of patient data involving CadClin, an Electronic Patient Record software & calendar.

The exposed data includes patients’ full names, dates of birth, email addresses, occupation, medical observations, RG numbers (Brazilian ID number), taxpayer registry ID numbers, and insurance company names.

Open Elasticsearch server from ClearDent

An 8MB open Elasticsearch server belonging to ClearDent, a dental software company in Canada, has exposed around 60,000 records of patient data including full names and phone numbers.

Unsecured Elasticsearch server from DeepThink Health

An unsecured Elasticsearch server which is sized 2.7 GB has exposed almost 700,000 records of medical data. The open server is owned by a medical intelligence as a service company in the US named DeepThink Health. The exposed data includes patient names, gender, addresses, phone numbers, medical observations, and treatment information.

Open MongoDB server from Essilor

An unprotected MongoDB database belonging to Essilor, an ophthalmic optics company in France, has exposed nearly 1500 records of patient data and 0ver 200 records of email addresses connected with different Essilor domains and hashed passwords of employees.

Misconfigured MongoDB server from Naiis

A misconfigured MongoDB server belonging to Nigeria HIV/AIDS Indicator and Impact Survey (NAIIS) has exposed the personal information of over 80,000 individuals who participated in the survey. The compromised data includes participants’ age, pregnancy status, laboratory results code and value, HIV validation first test date and time, HIV encounter data, and medical observations.

Unguarded Elasticsearch server from Stella Technology

A 4GB unguarded Elasticsearch server belonging to Stella Technology in Saudi Arabia has exposed the data of over 300,000 patients including their names, dates of birth, gender, email addresses, physical addresses, and medical observations.

Unprotected Elasticsearch server from Tsinghua University

An open Elasticsearch database owned by Tsinghua University in China has exposed over 60,000 records of patient data including dates of birth, age, height, and other medical information.

Misconfigured Google API bucket from VScript

A misconfigured Elasticsearch database and a Google API bucket belonging to VScript have exposed the data of customers of pharmacies using VScript such as names, payment transactions, masked credit card numbers, and prescriptions. The Google API bucket has exposed drug prescriptions and medicine bottles.

Unsecured Elasticsearch database from Sichuan Lianhao Technology

This is the largest data leak from the lot, which has exposed over 24,000,000 medical records due to an unsecured Elasticsearch database which is sized 42GB. The database belongs to Sichuan Lianhao Technology Group in China. The exposed data includes patients’ and doctors’ names, medical status, ID numbers, and phone numbers.

This ongoing trend of medical data breaches has become a major concern for the healthcare sector globally.