CrelioHealth, a cloud-based laboratory information management system, left an open instance exposing the sensitive data of tens of thousands of people. The company recognized the issue and fixed it immediately.
CrelioHealth left an open Elasticsearch cluster containing millions of lab records. According to Bob Diachenko, CEO of SecurityDiscovery, the company has confirmed the exposed instance held CrelioHalth data concerning the National Reference Laboratory in the United Arab Emirates.
The National Reference Laboratory operates ten medical facilities nationwide, providing services to private and government hospitals, medical centers and clinics, corporate organizations, and other reference labs. ElasticSearch is a popular tool for managing large volumes of data.
Diachenko claims that the now-closed instance held over 28 million records. Running a query for “firstname” returned 462,000 results. However, given there could be duplicates, he believes the number of exposed people could range from 50,000 to 100,000.
CrelioHealth claims the ElasticSearch cluster was exposed due to a data migration process. The India-based company reportedly processes over four million reports every month and handles 110,000 individual lab records every day.
What data did CrelioHealth expose?
The exposed database held personal identifiable information (PII) such as:
- Passport or ID number
- Full name
- Mobile (if specified)
- Address (if specified)
- Email (if specified)
- Date of birth
- Other data (service indicator, control ID, lab sample ID, personnel log used in HL7 messaging standard format)
According to CrelioHealth, the company took “immediate action” to address the data leak and implement “necessary security measures” to “safeguard the non-public information, user data, and internal documents that were at risk.”
“The incident was a result of an accidental assignment of a public [internet protocol] IP address to the Elasticsearch log cluster during a data migration process. This temporary exposure occurred today – 29th August – as we were in the process of migrating data to a different cluster hosted,” the company told Diachenko.
CrelioHealth denies PHI was exposed
According to the company, the incident took place on August 29, leading to “an unintentional exposure of our internal log server for system transactions of NRL specific instances.”
“Due to an oversight, our internal log server was temporarily assigned a public IP address, which inadvertently allowed public traffic to access the internal log system,” the company told Cybernews.
However, the company denied any protected health information (PHI) was exposed. CrelioHealth said that the exposed logs were part of a separate monitoring cluster, adding all of the data were test log.
The company added that the actual number of leaked logs is far smaller, “ in the range of 1000-2000 NRL specific log records and the count of a search query is a keyword in log index which is misrepresenting the actual number of records.”
What are the dangers?
Exposing sensitive PII data can cause many issues for victims. Stolen data can be used to commit fraud: from identity theft and phishing attacks to opening new credit accounts, making unauthorized purchases, or obtaining loans under false pretenses.
According to Mantas Sasnauskas, the head of Cybernews research team, even if the data was exposed briefly, there’s still a risk malicious actors may have accessed it.
“The leak, even for a brief time, could have fallen into the wrong hands and be a clear violation of privacy laws such as the Health Insurance Portability and Accountability Act in the US, and the General Data Protection Regulation in the EU,” Sasnauskas said.
Additionally, threat actors could use leaked service indicators, control IDs, lab sample IDs, and personnel logs in HL7 format to gain unauthorized access to more sensitive data and systems.
“This incident underscores the importance of robust data security measures and regular audits to prevent such leaks. It’s crucial for organizations handling sensitive data to invest in advanced security infrastructure and follow best practices for data privacy,” Sasnauskas explained.
Updated on September 14th [08:40 AM GMT] with statement from CrelioHealth.
More from Cybernews:
Subscribe to our newsletter