The personal data of 2,373,764 patients was left exposed online after Hova Health, a telemedicine company based in Mexico, misconfigured a MongoDB database.
Security researcher Bob Diachecko made the discovery using the Shodan.io search engine, which scans the internet for open ports on connected devices and web servers. The database was publically available and could be accessed or changed by anyone, even without a password.
The database contained patient names, personal ID codes for Mexican citizens and residents, insurance policy numbers and expiration dates, dates of birth, and addresses. There also were flags noting migrant status or disabilities.
Hashed passwords for administration accounts and emails also were contained in the database, which made it easy for Diachenko to notify the apparent owner, Hova Health.
“All the areas that work on this project are reviewing exactly what happened and checking all our infrastructure to avoid this kind of event,” Hova Health administrators told Diachenko. The data was shored up within a few hours.
But the database contained a number of records that appeared to be from a government health service. So it’s still unclear who actually owns the database. Further, Diachenko could not determine how long the data was left open to the public.
MongoDB issues have been known since at least March 2013 and have been widely reported, Diachenko wrote. The company released security guidelines and updated its software to include more secure defaults, but there still are 54,000 unsecured databases still widely available on the internet.
Misconfiguration issues are far too common for the healthcare sector, which already is being pummeled by cyberattacks. One wrong click and tens of thousands to millions of patient records can be breached.
MedEvolve was the biggest misconfiguration breach this year. While the company recently began notifying 205,000 patients of the error, a security researcher made the discovery in May. A group of Long Island providers and Middletown Medical in New York also made a similar mistake this year.
Whether by vendor error or internal mistake, these errors can easily be avoided. On the vendor side, healthcare organizations should make sure to bolster their third-party management, which includes ensuring the third party’s security standards are on par with their own.
Internally, update MongoDB databases with its improved security measures. Amazon also updated its cloud storage dashboard last year to avoid similar misconfiguration errors. It’s also a good idea to revisit storage buckets to ensure patient data is protected.
“This is yet another warning to any company or service provider that handles and stores personal medical data,” Diachenko wrote. “Security experts warn that not only should they audit their security processes regularly, but they should also have an incident response process in the event of a data leak.”
Healthcare Security Forum
The Boston forum to focus on business-critical information healthcare security pros need Oct. 15-16.