Millions affected in major health data breach caused by a missing password

News
By
published

Huge database of personal data left unsecured online

Data leak
(Image credit: Shutterstock)

Researchers from Cybernews have reported finding a huge database containing sensitive customer information from the Mexican healthcare sector left unprotected online

The team discovered a misconfigured Kibana instance with a “tremendous volume” of information, later attributed to eCaresoft, a software company behind two cloud-based Hospital Information Systems - Cirrus and Anytime. These platforms are used by more than 65 hospitals, 110 outpatient care centers, and more than 30,000 doctors, to help manage different aspects of work, such as inventory management, medicine management, appointment booking, and more.

According to Cybernews, the database contained sensitive information on more than five million people, leaking things like names, ethnicity, nationality, religion, blood type, birth dates, gender, phone number, email address, CURP (Mexican personal identification number), expenses, hospitals visited, and payment request descriptions.

Shift in tactics

Kibana is an open source data visualization and exploration tool. It is used for analyzing and visualizing log data stored in Elasticsearch, a distributed, open-source search and analytics engine, commonly used for indexing and querying large volumes of data in real time.

Unprotected and poorly managed databases remain one of the key causes of data leaks, and this instance contained more than enough information to help threat actors mount identity theft, phishing, and possibly even wire fraud.

Luckily, health records or payment data were not exposed, however Cybernews stressed the CURP numbers are “a particular cause of concern”, since they are the Mexican counterpart to the US Social Security Number.

The database has subsequently been locked down, but it's not known for how long it remained open, or if someone found it before the researchers. We also don’t know if the victims have already been notified about the breach or not.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.