Millions of health records exposed to public in Mexico

A German cyber security enthusiast says he discovered an unprotected online healthcare database and gained access to 2.3 million Mexican patients records including their personal information and health reports.

Bob Diachenko, cyber security and IT enthusiast from Germany discovered the database which held personal entries of patients from Michoacán state in Mexico has been freely available on the Internet.

The database was publicly available as a result of misconfigured, free to use and open-source MongoDB database operated by the record holder.

Diachenko was able to access personal information such as full name, gender, identity codes, insurance policy numbers along with the expiry dates, date of birth, home address and disability or migrant status.

Bob Diachenko cyber security enthusiast
Bob Diachenko

“A MongoDB instance was indexed by IoT search engine Shodan and was viewable, accessible and editable without login or password for anybody in the world connected to the Internet”, said Diachenko in his LinkedIn blog post.

After looking into the data, Diachenko was able to establish that Hova Health, a telemedicine company, was holding these records while working on its healthcare project. The Mexico City based company offers software development for the medical companies and health sector.

Database also contained passwords for admin accounts and associated with them email addresses, therefore, Diachenko was able to notify the responsible individuals and the dataset was secured within a few hours.

It is not clear as to how long the data was publicly exposed and who else gained access to the records. Nobody claimed to be an actual owner of the database either, and Hova Health is currently uncontactable. Their website has been similarly down for the last two days.

With the wave of ransomware attacks on hospitals, and medical providers, it is clear that the healthcare sector is being targeted by cyber criminals.

Just a few weeks ago we were reporting about hackers attack on Singapore government’s health database.

Back in May 2018, the NHS has been targeted by the ransomware cyber attack, which paralysed parts and undermined confidence in its IT services.

Security experts warn that all service providers that handle personal data, including medical data stored by healthcare sector, not only should audit their security processes regularly, but should also have an incident response process in the event of a data leak.

Don't miss your daily pharmaphorum news.
SUBSCRIBE free here.