Health Solutions in India has exposed 43,203 patient pathology reports, including those showing HIV test results. Some individuals included in the breach are as young as 17. Worse, the company didn’t want to take responsibility for the issue.
According to security researcher Troy Hunt, the company was storing the files on a website created by a personal friend of executives—someone who has recently graduated from university. The problem is that these files were published without any access controls and in a path with directory listing enabled, which meant that Google would be able to index them. Hunt discovered that not only were the files themselves indexed and searchable, but the contents had also been cached. In other words, Google had been reading the pathology reports and the contents had now spread beyond the source web server, making them publicly accessible and easily discoverable.
To boot, the tens of thousands of pathology reports were hosted on the friend’s own server in a foreign country, along with a host of other unrelated sites—which were infected with a malicious shell.
“For the non-technical readers, this a shell which allows an attacker to remotely run commands on a server,” said Hunt, in a posting. “Someone has been able to place the malicious software on the Health Solutions websites which then enabled them to perform a whole raft of other nefarious activities on the machine. Google indexed it on the 10th of November, less than three weeks before the exposed data was reported to me. It appears to be unrelated to the fact that the site didn't secure the pathology reports in the first place, but it speaks to how poorly managed the entire thing was.”
Pranav Dixit, a BuzzFeed reporter, received surprising feedback from Health Solutions when he contacted them about the exposed files:
“We are not the doctors, we and our franchisees merely do the blood tests, and maintaining doctor-patient confidentiality is not our problem,” a company representative told Dixit via phone. “We are moving to a new domain in January and retiring the existing website, so these problems will be fixed in January. But until then, we are not planning to do anything about this.”
BuzzFeed published a piece on the issue, and managed to get in touch with Rodrigues Kustas, an administrator at Health Solutions. He said that the company’s website had been “hacked” several times—with a data leak occurring six months ago. Yet, “while the website has been hacked, none of the confidential information on health issues of any of our patients has been compromised,” Kustas said.
“Hacked” is a term Hunt takes issue with—among several other things.
“This is not ‘hacking,’ it's incompetence,” he said, in an analysis. “That's a really important distinction because the term ‘hack’ shifts the blame to someone else, when it should rest squarely on the shoulders of [Health Solutions]. And while we're here, saying that none of the info was compromised is blatantly wrong; BuzzFeed pulled HIV test results! Even if Health Solutions went back through the logs (which they may not even have), the fact that Google indexed it all and stored it in cache means that the files were copied outside their environment by a third party and they simply have no idea who has seen them.”
Eventually, the data was removed. But the question remains about the effects of rapidly digitized services in a region that doesn’t have a privacy framework required to protect data (i.e. there's no HIPAA equivalent).
“What we've seen here is far more common than we know,” Hunt said. “I doubt that Health Solutions will now contact the thousands of people impacted by this as we'd see mandated in other parts of the world. I also doubt there'll be any legal or regulatory recourse as a result of their incompetence. But what I do know is that what we've seen here is consistent with so many of the other incidents we've seen around the world in terms of the technical failings. I do hope India can get the regulations in place to hold people accountable when it happens again because with the rush to digitize this sort of thing, it will happen again.”
Photo © bikeriderlondon