Leaky Server Exposes 12 Million Medical Records to Meow Attacker
A healthcare technology company leaked 12 million records on patients including highly sensitive diagnoses, before the exposed cloud server was struck by the infamous “meow” attacker, researchers have revealed.
A team at SafetyDetectives led by Anurag Sen discovered the leaky Elasticsearch server in late October after a routine IP address scan, although it’s unknown how long the data was exposed for before that.
It was traced back to Vietnamese tech firm Innovative Solution for Healthcare (iSofH), which provides software for electronic health records and hospital management to 18 medical facilities, including eight top-tier clinics.
As the server was left publicly exposed without encryption or password protection, the researchers were able to view a 4GB database of 12 million records, affecting roughly 80,000 patients and healthcare staff.
The data is a treasure trove for fraudsters, containing full names and dates of birth, postal and email addresses, phone numbers, passport details, credit card numbers, medical records and recent test results and diagnoses.
It also included the personal information of some children.
Three days after the discovery, the database was attacked by the meow bot which deleted an unspecified number of indexes.
After reaching out to iSofH and the Vietnamese CERT in mid-November to no avail, the researchers were finally able to contact the latter in early December, although the organization apparently hasn't been persuaded to take the incident seriously.
That’s despite the potential for follow-on blackmail and fraud attacks using the leaked data.
“The server contained incredibly detailed patient information and logs, as well as personal information regarding company staff and even partial information about the doctors who work at the various hospitals iSofH operates. If such information was to fall into the hands of criminals, this would present an acute security risk to doctors, company staff and patients simultaneously,” SafetyDetectives argued.
“More broadly, revealing full names, addresses and emails can be harnessed by nefarious users to inflict severe financial and reputational harm upon victims in the form of identity theft and financial fraud. The availability of credit card information further exacerbates the potential danger posed to victims, leaving them susceptible to credit card fraud and other financial crimes.”