Misconfigured MongoDB database exposes sleep disorder program patients’ information
I blacked out while driving and wrecked ….
So begins a message that was just one of more than 1,000 messages and more than 1,200 patient profiles exposed to the world because a sleep disorder clinic serving military personnel had a misconfigured MongoDB database that was indexed by Shodan.
Thankfully, the files were still intact when MacKeeper Security Research personnel discovered the leak yesterday. It would have been worse luck for the clinic if it had been attacked by the new ransomware that wipes the files and then holds if for ransom if the owner wants the data back.
Inspection of the exposed data and IP address revealed that the data were from patients seen at Militarysleep.org, which is associated with Womack Army Medical Center (WAMC) at Fort Bragg, North Carolina. MacKeeper promptly notified militarysleep.org and Wickwire Group, LLC, as many of the exposed files appeared to be theirs.
Shortly after notifications were sent, the database was secured, although it is not yet clear who secured it and whether that database was the responsibility of WAMC or the Wickwire Group. Neither entity responded to an inquiry from DataBreaches.net as to who was the responsible party, but the exposed directory filenames suggests that it may be Eckwire’s database installation.
The exposed data included personal information of military personnel, including their first and last name with middle initial, postal and email addresses, date of birth, last four digits of Social Security number, military rank, and their password to login to the portal, as this redacted patient (“user) profile demonstrates:
A second exposed database contained messages between the patients and doctor(s). In many cases, the messages were boilerplate messages that the results of the sleep study indicated no sleep apnea, and that the individual might want to sign up for the online learning program using cognitive-behavioral techniques to address insomnia. In other cases, the messages might include specific medication information or a report on how the patient was doing, such as the snippet from one message that appears at the beginning of this report.
The messages often included the patient’s military rank and full name.
The militarysleep.org site does not indicate whether it is a HIPAA-covered entity, which is one of the questions DataBreaches.net had put to the site and Wickwire.
This post will be updated if more information becomes available. Great thanks to the MacKeeper Security Research team for alerting me to this leak. You can read their post about the incident on their blog.
And if you know of an exposed database with patient records, please contact me via email (admin [at] databreaches [dot] net), Jabber (dbnet [at] swissjabber.ch) or on Twitter (@pogowasright).