Misconfigured Database Leaks 880 Million Medical Records

Researchers have found an unsecured database leaking over 886 million patient records online, although it's now confirmed that this was dummy data.

The non-password-protected data trove was found by Jeremiah Fowler and Website Planet and traced to healthcare AI firm Deep 6 AI, which fixed the privacy snafu promptly after it was responsibly disclosed.

Deep 6 AI applies intelligent algorithms to medical data to help find patients for clinical trials within minutes.

The exposed data included the date, document type, physician note, encounter IDs, patient ID, note, UUID, patient type, note ID, date of service, note type and detailed note text.

The notes and physician information were stored in plain text. Patient IDs were encrypted, but it's unclear how strongly. 

However, a statement from Deep 6 AI sent to Infosecurity clarified that no patients were affected by the exposure.

"In August, a security researcher accessed a test environment that contained dummy data from MIT's Medical Information Mart of Intensive Care (MIMIC) system, an industry-standard source for de-identified health-related test data. To confirm, no real patient data or records were included in this ephemeral test environment, and it was completely isolated from our production systems," the statement noted.

"Based on current reporting, we have confirmed that the recent claims reference MIMIC data, and there was no access to real patient records. When the researcher notified us in August, we immediately secured the test environment to ensure there was no further concern."

According to IBM, healthcare remains way out in front in sectors with the highest average breach costs. They rose by nearly 30% over the past year to top $9.2m per incident.

What’s Hot on Infosecurity Magazine?