Massive Medical Data Exposure
In the age of for-profit healthcare customer medical data is more than just a valuable asset, it is a gold mine and everyone wants to get in on the action. Experts believe that the use of medical data will change the future of healthcare, while others say that it already has. In the last decade there has been many advances in the technology to collect and generate patient and medical data. Doctors and hospitals now collect almost everything they do. The medical industry uses technology at every stage of patient care to analyze and understand it. Medical Big Data is supposed to help providers become more efficient and productive (and make more money from patients and insurance providers). What happens when that medical data is publically exposed?
Medical data is also valuable asset in the hands of hackers and malicious actors who sell it or give away for free. As Dissent from Databreaches.net reported recently, the infamous TheDarkOverlord hacker dumped three more patient databases just in the first week of May!
During regular security audit of exposed rsync protocols on Shodan the Kromtech Security Center discovered a misconfigured backup device that appeared to contain complete medical records of potentially thousands and thousands (if not millions!) patients of Bronx Lebanon Hospital Center (BLHC). Kromtech Researchers with help from Dissent Doe (administrator of Databreaches.net site) were able to identify that a IP where backup device was hosted was connected with iHealth Innovations a Louisville, KY based IT Services Provider.
According to their website: “iHealth offers a broad range of back-office and front-office technologies combined with customized services that help you maximize your revenues and return on investment"
We have sent notification to iHealth via email and tried to reach them by the phone, but nobody was there to respond.
Only after reaching out directly to BLHC necessary security measures have been taken and IP was isolated from external access.
Read Dissents take on the investigation here
The details are mind blowing at just how much personal medical information is included in some patient files. Just one “addiction intake” file that researchers reviewed painted a full picture of the patient's drug use, medical history and suicidal thoughts and many other data points that the average person would never even consider. For example, there were more than 300 *txt files listed in just one directory. The size of each file ranges from 4MB to 473MB and an average 34MB text file contained the medical data for more than 7 thousand patients.
So there is potentially a massive number of patient data files that were publicly exposed, not encrypted, and required no authentication to access.
Even the most modest estimate of patients affected could be as high as several million. The data includes everything, from address, SSN, email, phone, full medical diagnosis, and much more. Exposed folders contained hundreds and thousand of files in *.txt or *.pdf formats with complete personal info and medical diagnosis. Although, iHealth Innovations has a wide range of customers across the spectrum, it appears that a majority of these files originated from Bronx Lebanon Hospital Center (BLHC).
Most health care providers must follow the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (Privacy Rule), a federal privacy law that sets a baseline of protection for certain individually identifiable health information (“health information”).
It is unclear if anyone else had access to these medical records and other personal data as we are still waiting for iHealth and BLHC official statements.
However, all parties involved are required to notify patients under the the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414. This requires all HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org