Everything’s broken, Monday edition (medical data leaks)
It seems that every week I hear from researchers who find patient data or medical data exposed. And I know some of them spend inordinate amounts of time trying to contact entities to get them to secure their unsecured sensitive data. Some of these researchers do this for no pay and no expectation or hope of any future business dealings. Sometimes they are just ignored, sometimes they are insulted and accused of trying to scare up business, and sometimes they are accused of hacking. Rarely are they thanked for taking the time and effort to help entities fulfill their promise to keep data private and secure.
One month ago, this site was contacted by WizCase researchers. Over the past month, I have had more of an opportunity to interact with Avishai Efrat as we discussed what steps they had taken and would take after finding nine different entities exposing patient or medically-related data. Their dedication to responsible disclosure and their willingness to delay publication to try to get data locked down before going public is admirable. In this case, after more than one month of trying to get data secured, they have published their report on nine leaks, even though not all of them have been locked down. Because they do not indicate which of the named entities still hasn’t locked down their data, DataBreaches.net will not be indicating that, either, even though this site knows which entities still have exposed data.
Wizcase kindly shared their findings with DataBreaches.net prior to publication, in part because this site attempted to assist them in making notification to a firm that was exposing patient information but wasn’t responding to notification attempts. DataBreaches.net was provided with the urls of the past and still-exposed leaks. Of note, entities that did not respond to WizCase’s notification attempts also did not respond to DataBreaches.net’s contacts with questions about their response to the leaks or requests for comments.
Why just bury your head in the sand when you can really really bury your head in the sand, right?
The following is a recap of the leaks WizCase found, as described by WizCase. When you read their full report, you’ll see redacted screenshots from exposed databases and you’ll also read their assessment of the risks of each leak:
Summary of Leaks
CadClin is medical office practice management software by BioSoft in Brazil. WizCase researchers found a 3 GB public-facing Elasticsearch with Kibana interface that contained almost 1.2 million records with patients’ full name, email, medical observations (in Portuguese), date of birth, city of birth, RG (Brazilian ID number), taxpayer registry ID number, insurance company name, and occupation.
ClearDent is a dental software firm in Canada. WizCase researchers found an 8 MB public-facing Elasticsearch server with approximately 60,000 exposed records. The records reportedly included patients’ full names and phone numbers, although there were some entries with test data or missing values.
Jintel Health (now known as DeepThink Health) is a U.S. firm that describes itself as “an innovative precision intelligence platform which captures and structures large clinical and genomic datasets, and then applies our advanced analytics and machine learning to enable precision medicine.” WizCase researchers found a 2.7 GB open Elasticsearch with 700,000 records. Their analysis of the data indicated that there were three types of data:
Medical observations about unnamed patients in the context of cancer, e.g. tumor size, cancer type, survival month, as well as details like gender and age group.
Cancer treatment information like drug list and treatment type.
Some details, which were listed separately, seemed to be of medical personnel and not patients. It included names, physical addresses, and phone numbers.
Essilor is an international opthalmic optics group that designs and manufactures lenses. This particular leak appeared to be related to their French entity and one particular instrument that they manufacture, Essibox. The 5.7 GB misconfigured MongoDB installation reportedly contained 1,500 records on patients and 200 – 300 records on Essilor employees.
NAIIS (the Nigeria HIV/AIDS Indicator and Impact Survey) was a survey conducted in 2018. WizCase researchers found a 1 GB misconfigured MongoDB server exposing approximately 80,000 survey respondents’ data. They report that the data leak included facility and hospital names; respondents’ pregnancy status; laboratory results code and value; respondents’ age; HIV validation first test date and time; HIV encounter data; and medical observations of anonymous people taking the survey; etc. WizCase refers to them as patients, but they were actually survey respondents sharing their medical information, even though they may have been others’ patients.
WizCase attempted email notification, but the only email address on NAIIS’s site was not a working email address. WizCase then notified the hosting company, who did respond with a grateful message:
“Thank you so much for spotting this out.
This is a very serious issue and we will notify the customer accordingly.
Please feel free to reach out to us whenever you discover any vulnerabilities.”
But NAISS never contacted WizCase after that at all. Did anyone contact any of the people whose data was exposed? And who was responsible for data security for the server anyway? According to their site:
NAIIS was led by the Government of Nigeria through the Federal Ministry of Health (FMoH) and the National Agency for the Control of AIDS (NACA), conducted with funding from the United States (U.S.) President’s
Emergency Plan for AIDS Relief (PEPFAR) and the Global Fund to Fight AIDS, Tuberculosis and Malaria with technical assistance from the U.S. Centers for Disease Control and Prevention (CDC). The survey was implemented by the NAIIS Consortium, led by the University of Maryland, Baltimore (UMB), under the supervision of the NAIIS Technical Committee.
So who was minding the data store?
Stella Prism is a data analytics platform by Stella Technology in Saudi Arabia. WizCase researchers found a 4 GB open Elasticsearch server with approximately 300,000 exposed records. Their analysis indicated that the leak contained full names, address, SSN for the US patients, admittance reason, address, date of birth, gender, medical observations, and emails. Not all records were unique.
Tsinghua University Clinical Medical College in China appears to have been leaking approximately 50,000 records – 60,000 clinical research data records in a 643 MB open Elasticsearch server. Significantly, the researchers note that there was no identifiable personal information other than the patients’ first and last initials, but that’s not really an accurate characterization because the data included date of birth, age, height and medical information. Those data types in conjunction with first and last initials could allow reidentification of individuals.
Sichuan Lianhao Technology Group Co., Ltd (znjtys.com) is a tech company in China. WizCase researchers found a 42 GB open Elasticsearch server that contains about 24 million records that appear to contain different types of medical information from doctors and patients. The leak appears related to one particular product by the company that translates to “Smart Family Doctor.” It was difficult for the researchers to determine exactly what data types or how many of each data type were exposed.
VScript is a pharmacy software firm in the U.S. Researchers found an 81 MB open Elasticsearch server and GoogleAPI bucket. The former contained about 800 records, while the exposed bucket had thousands of images of prescriptions and medicine bottles. Because this is a U.S. entity that might be covered by HIPAA, let me note that:
- VScript did not respond to WizCase’s attempt to notify them.
- They did not respond to a phone call from DataBreaches.net on September 26, either about their leaks. DataBreaches.net then reached out to Google about the bucket, but
- The bucket remained unsecured even after Google contacted their customer.
Note that DataBreaches.net cannot be sure that the Elasticsearch and bucket are owned by VScript, as this may be a vendor situation. Google would not tell DataBreaches.net exactly who their customer was that they were contacting. But it’s certainly data relating to VScript and as PHI, it should have been and should be secured.
Thanks to WizCase for trying to help keep patient data more secure and for sharing their research with this site. Read their full report here.