[BreachExchange] Millions of health records exposed to public in Mexico

[Destry Winant]

https://pharmaphorum.com/news/health-records-publically-exposed/

A German cyber security enthusiast says he discovered an unprotected
online healthcare database and gained access to 2.3 million Mexican
patients records including their personal information and health
reports.

Bob Diachenko, cyber security and IT enthusiast from Germany
discovered the database which held personal entries of patients from
Michoacán state in Mexico has been freely available on the Internet.

The database was publicly available as a result of misconfigured, free
to use and open-source MongoDB database operated by the record holder.

Diachenko was able to access personal information such as full name,
gender, identity codes, insurance policy numbers along with the expiry
dates, date of birth, home address and disability or migrant status.

“A MongoDB instance was indexed by IoT search engine Shodan and was
viewable, accessible and editable without login or password for
anybody in the world connected to the Internet”, said Diachenko in his
LinkedIn blog post.

After looking into the data, Diachenko was able to establish that Hova
Health, a telemedicine company, was holding these records while
working on its healthcare project. The Mexico City based company
offers software development for the medical companies and health
sector.

Database also contained passwords for admin accounts and associated
with them email addresses, therefore, Diachenko was able to notify the
responsible individuals and the dataset was secured within a few
hours.

It is not clear as to how long the data was publicly exposed and who
else gained access to the records. Nobody claimed to be an actual
owner of the database either, and Hova Health is currently
uncontactable. Their website has been similarly down for the last two
days.

With the wave of ransomware attacks on hospitals, and medical
providers, it is clear that the healthcare sector is being targeted by
cyber criminals.

Just a few weeks ago we were reporting about hackers attack on
Singapore government’s health database.

Back in May 2018, the NHS has been targeted by the ransomware cyber
attack, which paralysed parts and undermined confidence in its IT
services.

Security experts warn that all service providers that handle personal
data, including medical data stored by healthcare sector, not only
should audit their security processes regularly, but should also have
an incident response process in the event of a data leak.