Personal data of patients exposed online by a telemedicine vendor after a misconfiguration

Telehealth is a blessing to patients and health providers but has a flip side too. Hova Health, a telemedicine company based in Mexico misconfigured a MongoDB database thus, exposing the personal data of 2,373,764 patients online.

Bob Diachecko, security researcher used the Shodan.io search engine, which scans the internet for open ports on connected devices and web servers to reveal it. The database was available publicly. It could be accessed and changed by anyone, even without a password.

download (51).jpg

The database had patient names, personal ID codes for Mexican citizens and residents, dates of birth, addresses, insurance policy numbers and expiration dates. It also contained hashed passwords for administration accounts and emails, which made it easier for Diachenko to notify the apparent owner, Hova Health.

Hova Health administrators informed Diachenko that the company is reviewing what exactly happened and checking all the infrastructure to avoid this kind of event from happening again.

The database has many records that seemed to be from a government health service. Thus, it's not clear who actually owns the database. Also, Diachenko couldn’t determine how long the data will be open to the public.

Misconfiguration issues are common in the healthcare sector, which is repeatedly affected by cyber attacks.