Highly sensitive data on over 2.3 million Mexican patients has been exposed via a misconfigured MongoDB installation.
Bob Diachenko, formerly of the Kromtech Security Center, made the discovery via a simple Shodan search last week and claimed in a post that the data was viewable and editable for anyone without a password.
It included full name and gender, unique identity code, insurance policy number, DOB, home address and disability and migrant flags.
The database owner, telemedicine company Hova Health, sent the following brief statement when notified: “All the areas that work on this project are reviewing exactly what happened and checking all our infrastructure to avoid this kind of events.”
Along with the patient data, which appears to cover only individuals from a specific region of the country (Michoacán), Diachenko found hashed and salted admin account passwords and email addresses.
“It is unclear how long the data was publicly exposed or who else except myself had access. This is yet another warning to any company or service provider that handles and stores personal medical data,” he argued.
“Security experts warn that not only should they audit their security processes regularly, but they should also have an incident response process in the event of a data leak. With the wave of ransomware attacks on hospitals, and medical providers it is clear that the healthcare sector is being targeted by cyber criminals.”
Although there have been countless cases of misconfigured cloud accounts found publicly exposed, often thanks to mistakes by third-party suppliers, with MongoDB there’s an even greater risk.
Last year saw two waves of attacks on publicly accessible MongoDB databases in which cyber-criminals stole the data before deleting the original copy and demanding a ransom. There were nearly 76,000 victims in the September 2017 attack campaign.
For its part MongoDB released guidance for users, claiming that if they follow the “extensive security protections built into MongoDB” they would be protected. However, Diachenko claimed nearly 54,000 databases are still exposed.