Missing password leads to 5.3 million leaked health records

Cybernews reports that on August 26, 2024, its research teams found a 500 GB unprotected database belonging to a Mexican healthcare company. The database exposes sensitive information such as names, personal identification numbers (CURP), phone numbers, payment request descriptions, and more.

The total number of people affected is 5.3 million, which represents about 4% of the country’s population, Cybernews notes. The Cybernews report indicates that the security flaw occurred during a “misconfigured” use of a data visualization tool called Kibana, which apparently was not authenticated.

The massive volume of data was later attributed to Ecaresoft, a Texas-based software company behind cloud-based hospital information systems such as Anytime and Cirrus. More than 30,000 doctors, 65 hospitals and 110 outpatient care centers use Ecaresoft’s services to manage tasks such as appointment booking, medication management, inventory management and more.

Other data stolen includes ethnicities, nationalities, religions, blood types, dates of birth, gender, email addresses, the amount charged for healthcare services and the hospitals visited. This time, the threat actors are not the cause. There is no official information about whether the affected users are aware of the situation or how long the database (now shut down) was active.

The affected users’ health records have not been seized, but because their Mexican government ID (equivalent to the US Social Security number) is compromised, they are at risk of wire fraud and phishing (among other things). The company has not yet released a statement regarding the exposed data, but we hope to hear something official soon. If data is left unprotected, it can be indexed by search engines and taken over by threat actors who constantly scan the Internet for these types of unprotected files.

While US citizens don’t have to worry about their personal information being compromised in this case, it shows how important password security is. An easy-to-guess password leaves you just as vulnerable as no password at all. One of the worst password failures in the last decade was Equifax’s 2017 data breach, which made it easy for hackers to steal their data due to the use of “admin” as the password.