Apr 192019

Laura Hautala reports:

It’s some of the most sensitive medical information a person could have. Records for potentially thousands of patients seeking treatment at several addiction rehabilitation centers were exposed in an unsecured online database, an independent researcher revealed Friday [link corrected by DataBreaches.net].

The records included patients’ names, as well as details of the treatment they received, Justin Paine, the researcher, says. Each patient had multiple records in the database, and Paine estimates there could be about 145,000 patients total in the database.

Paine notified the main treatment center, as well as the website hosting company, when he discovered the database. The data has since been made unavailable to the public. Paine found the data by typing keywords into the Shodan search engine that indexes servers and other devices that connect to the internet.

Read more on CNET.

Apr 182019

Callie Ferguson reports:

A communications official at Northern Light Acadia Hospital in Bangor mistakenly emailed the confidential names of 300 patients with prescriptions for Suboxone, a medication used to treat opioid use disorder, to an editor at the Bangor Daily News last week.

In addition to their names, the list also contained the identities of the patients’ medical providers, all of which is protected under federal privacy laws that prohibit health care organizations from disclosing personal patient information to the public without permission. Disclosing that a person takes Suboxone effectively outs him or her for seeking treatment for opioid addiction.

Read more on Bangor Daily News.

Apr 182019

Remember what I said earlier today about India being a data protection mess? Here’s another example. Mohit Kumar reports:

An unprotected database belonging to JustDial, India’s largest local search service, is leaking personally identifiable information of its every customer in real-time who accessed the service via its website, mobile app, or even by calling on its fancy “88888 88888” customer care number, The Hacker News has learned and independently verified.

Founded over two decades ago, JustDial (JD) is the oldest and leading local search engine in India that allows users to find relevant nearby providers and vendors of various products and services quickly while helping businesses listed in JD to market their offerings.

Rajshekhar Rajaharia, an independent security researcher, yesterday contacted The Hacker News and shared details of how an unprotected, publicly accessible API endpoint of JustDial’s database can be accessed by anyone to view profile information of over 100 million users associated with their mobile numbers.

Read more on The Hacker News.  JustDial subsequently responded with the following statement (courtesy of THN’s Twitter account):

As TheHackerNews notes in their Twitter thread on this matter (begins here), THN did not declare this a data breach. That said, they do take exception to certain claims by JustDial.  As one example, THN tweets:

Statement says, “older versions cater to only a tiny fraction of users.”

Incorrect. we have verified that old APIs (exist since 2015) were fetching data from database to which the new protected APIs are also connected.

Hence, leaking profile data of even the very latest users.

So, this is still an openly disputed incident with more follow-ups by THN and JustDial likely.

Apr 172019

On March 19, this blog linked to a TechCrunch report about an improperly secured Meditab fax server that potentially allowed fax images with patient information to be accessed from an analytics portal. The exposure had been found by SpiderSilk, a cybersecurity firm in Dubai, who estimated that 6 million images were potentially accessible.  The TechCrunch report noted that:

The exposed fax server was running a Elasticsearch database with over six million records since its creation in March 2018. Because the server had no password, anyone could read the transmitted faxes in real-time — including their contents.

Last night, I spoke with Angel Marrero, MedPharm’s general counsel, who responded to my request for an update as to what their investigation had shown.

According to Marrero, their investigation showed that there were maybe 200,000 fax images that were actually on the server and potentially accessible. They found no evidence that anyone other than the researches had accessed the images and that they had not been scraped, but the firm had been unable to connect with SpiderSilk to ask them questions or seek clarification.

All told, Marrero informs this site that they had about 400 clients affected by this incident that they notified.  Approximately 100 of them had 500 or more images accessible via the portal and will be notifying HHS and affected patients or will be having Meditab notify HHS and/or the patients.  The other 300 clients reportedly have fewer than 500 images or patients involved, and so will be notifying HHS or having Meditab notify HHS before next year’s deadline for incidents involving less than 500 patients.

Marrero did not give DataBreaches.net an exact number of how many patients, total, were affected as they are still investigating that, but his current best estimate is that approximately 150,000 patients may have been affected.

Obviously, that’s concerning, particularly when you remember that these are often medical reports complete with a lot of medical history and sensitive information that is not encrypted, but by the same token it’s nowhere near as bad as headlines that raise the specter of 6 million affected or learning that the data had been found and exfiltrated by those with malignant intent.

Because some of Meditab’s clients have opted to notify HHS themselves, we may find ourselves seeing a number of breach reports that do not name Meditab and where we may not understand that the report was part of this breach.  Next month could be messy that way.


Apr 122019

Sarah Elms reports:

A University of Toledo counselor accused of improperly disclosing a student’s personal health information has been fired.

University officials on Dec. 18, 2018, notified Mychail Scheramic that his employment would be terminated at close of business March 18. He was hired in 2017 as the university’s counseling center director and was paid an annual salary of $90,000.

A university spokesman on Friday would not discuss the circumstances surrounding Mr. Scheramic’s firing. A document in his personnel file classifies his separation from UT as an “involuntary termination” but does not provide further details about what prompted the firing.

Dallon Higgs, a student in UT’s physician assistant program, last month sued the university, Mr. Scheramic, and his wife, physician assistant program chairman Dr. Linda Speer, who remains employed at UT. A Blade reporter requested Mr. Scheramic’s personnel records from UT when the lawsuit was filed.

Read more on the Toledo Blade.