A missing password leads to 5.3 million leaked medical records

Cybernews reports that its research teams found an unprotected 500 GB database belonging to a Mexican healthcare company on August 26, 2024. The database reveals sensitive information such as names, personal identification numbers (CURP), phone numbers, payment request descriptions, and more.

The total number of people affected is 5.3 million, which amounts to about 4% of the country’s population, as Cybernews notes. The Cybernews report indicates that the security flaw occurred due to a “misconfigured” use of a data visualization tool called Kibana, which appears to be unverified.

The massive amount of data was later attributed to Ecaresoft, a Texas-based software company behind cloud-based hospital information systems such as Anytime and Cirrus. More than 30,000 physicians, 65 hospitals and 110 outpatient care centers use Ecaresoft’s services to manage tasks such as appointment booking, medication management, inventory management and more.

Other stolen data includes ethnicities, nationalities, religions, blood types, dates of birth, gender, email addresses, the amount charged for healthcare services and the hospitals visited. This time it is not the threat actors that are the cause. There is no official information on whether affected users are aware of the situation and how long the database (now deleted) was active.

The health data of the users involved has not been seized, but because their Mexican government identification (similar to the US social security number) is compromised, they are exposed to, among other things, wire fraud and phishing. The company hasn’t released a statement about the unprotected data yet, but hopefully we’ll hear something official soon. When data is left unprotected, it can be indexed by search engines and captured by threat actors who continually scour the Internet for these types of unprotected files.

While people in the US don’t have to worry about their personal information being compromised in this case, it does show how important password security is. An easy-to-guess password makes you just as vulnerable as no password at all. Another of the worst password mistakes of the past decade was Equifax, the 2017 data breach that made it easy for hackers to steal their data because they used “admin” as the password.