Texas firm exposed fetal and patient ultrasounds (updated)
Corpus Christi-based 4D Sound Diagnostics (3d4dinfo.com and Bump 2 Baby & Beyond) provides elective ultrasounds for women or couples who want an image of their baby. The firm, owned by technologist Michael Rodriguez and formerly based in Louisiana, also provides ultrasound services in doctors’ offices. While many of their clients appear to be in the former group (fetal ultrasounds that are not medically necessary or ordered by physicians), a number of their patients are obtaining screening for health problems such as thyroid conditions, carotid artery issues, etc.
Unfortunately, and as we’re seeing all too often, a cloned server using the Rsync protocol was indexed by Shodan and was available to anyone and everyone because port 873 was open.
The problem was first detected by the MacKeeper Security Watch team, who discovered the problem through a Shodan search and alerted DataBreaches.net to the problem. MacKeeper’s team also attempted to alert the firm. DataBreaches.net also sent multiple alerts and notifications over a period of more than one week. The problem now appears to have been addressed, although the firm never acknowledged nor responded to any of the notifications directly. (But see below, as DataBreaches.net subsequently did hear from the firm, post-publication).
Client/Patient Information Exposed
So what was in the exposed data? For those seeking elective ultrasounds, the files contained client/patient forms with name, date of birth, address, email address, telephone numbers, due date, how many weeks pregnant, physician’s name, method of payment, and a permission/consent form asking whether the firm could use the woman’s name and the ultrasound image on its web site or for advertising.
There appeared to be more than 1,000 patients’ files going back to 2012.
Sometimes, when abnormalities were detected, the firm would send a courtesy letter to the patient’s physician. A few of those exposed letters contained somewhat sensitive information, such as a letter to a patient’s physician indicating that the ultrasound suggested fetal demise and further testing should be considered.
Thankfully, perhaps, there did not appear to be any detailed patient financial information, credit card information, or patient SSN in the exposed files, although in some cases, partial credit card numbers used for payment were exposed. Nor were there any Medicare numbers or Medicare claim forms in the files.
Employee and Corporate Information
In addition to patient information, information about the business and Rodriguez’s personal details were also exposed. There were a number of files with bank account statements, credit card statements, mortgage loan information, and files on a child with special needs. There were also files with tax returns that included their children’s names and Social Security numbers.
Employee/contractor information included information on supervising physicians such as their names, Social Security numbers, date of birth, Medicare ID number, National Provider Identification number, and telephone number.
And yes, there was a file of plain-text passwords.
Kromtech Security, who discovered the file, and attempted to alert the firm, tells DataBreaches.net:
Based on our research, we have noticed that remote synchronization protocol (rsync) is one of the biggest cyber security threats. Cloning critical servers using unprotected RSYNC leaves data, files and folders vulnerable for ransomware, injections, or executable files. In many cases the folders are writable and can even be deleted remotely.
DataBreaches.net could find no mention of HIPAA on the web sites. In subsequent communications with Rodriguez, he indicated that none of the activities or files in the exposed files implicated HIPAA. He also indicated that there was no indication that anyone other than Kromtech and this site had accessed the files.
Update: Post-publication, several image files were removed at Rodriguez’s request. Although personally identifiable information had been removed from the files before posting them, DataBreaches.net agreed to his request. As a result, portions of this post have been edited.