Misconfigured Database Leaks 880 Million Medical Records

Researchers have found an unsecured database leaking over 886 million sensitive patient records online.

The non-password-protected data trove was found by Jeremiah Fowler and Website Planet and traced to healthcare AI firm Deep 6 AI, which fixed the privacy snafu promptly after it was responsibly disclosed.

Deep 6 AI applies intelligent algorithms to medical data to help find patients for clinical trials within minutes.

The exposed data included date, document type, physician note, encounter IDs, patient ID, note, UUID, patient type, note ID, date of service, note type, and detailed note text.

The notes and physician information were stored in plain text, meaning anyone who discovered the database could have accessed intimate details of patient illnesses. Patient IDs were encrypted, but it’s unclear how strongly. This would make it harder for opportunistic cyber-criminals to unmask the victims.

However, if they were able to do so, the 68.5GB database would seem to offer plenty of information to use in possible extortion attempts or to sell on the dark web. According to Fowler, scammers could also have used the info to target doctors.

“During the pandemic doctors and nurses have been in close contact with infected patients. Scammers are now contacting doctors and pretending to be a contact tracer and then asking for sensitive patient medical data,” he explained.

“Hypothetically, this exposure could have provided scammers with a list of 89,143 medical professionals that they could target using insider information and their own notes to gain trust.”

The database itself, when exposed, was also at risk of being held to ransom, Fowler added.

According to IBM, healthcare remains way out in front in terms of sectors with the highest average breach costs. They rose by nearly 30% over the past year to top $9.2m per incident.