Massive data leak hits Mexican healthcare sector with over 5 million at risk

Last updated: 24 October 2024
ecaresoft
Image by Cybernews

Over five million patients in Mexico are at risk following a data leak from the hospital's information systems. The leak was caused by a missing password.

On August 26th, the Cybernews research team discovered a misconfigured Kibana instance that stored a tremendous volume of patient information. Kibana is a popular tool used in digital systems to monitor and analyze data.

The leaked database contained 500GB of sensitive data, which exposed 5.3 million individuals across Mexico – around 4% of the country’s population.

ADVERTISEMENT

What data was leaked?

  • Names
  • Ethnicities
  • Nationalities
  • Religions
  • Blood types
  • Dates of birth
  • Genders
  • Phone numbers
  • Email addresses
  • Mexican personal identification numbers – Clave Única de Registro de Población (CURP)
  • Amounts charged for healthcare services
  • Hospitals visited
  • Payment request descriptions

The researchers attributed the open instance to eCaresoft Inc., a Texas-based software company that has developed and operated two cloud-based Hospital Information Systems, Cirrus and Anytime.

Healthcare institutions use these platforms to manage various aspects of healthcare work, including managing inventories and medicine, booking medical appointments, synchronizing information between departments, and keeping each patient's healthcare records.

According to the company, the platform's users include over 30,000 doctors, 65 hospitals, and 110 outpatient care centers.

ecaresoft data leak affected hospitals
Affected Hospitals and other healthcare centers

Leaked CURP numbers puts citizens at risk

Although the most sensitive information, like health records, was not leaked, the large number of victims makes this dataset an attractive target for cybercriminals.

ADVERTISEMENT

The leaked CURP numbers are a particular cause of concern. CURP is an ID number provided by the Mexican government to Mexican citizens and residents. It serves a similar purpose as the Social Security number in the US.

A CURP number could be exploited for identity theft and fraud in the hands of threat actors. From gaining access to further sensitive information to impersonating a person to open bank accounts, quite a few illegal activities might put victims at risk.“Attackers could use this leaked information to exploit insurance claims, steal money, or defraud healthcare systems. Victims may experience unauthorized transactions and unpaid debts,” warned the Cybernews research team.

ecaresoft data leak patient data
Leaked patient data

“Criminal organizations can buy, sell, and exploit this leaked data on the dark web, where it can be used in a wide range of fraudulent activities or blackmail schemes.”

Leaked information, combined with other online data points from previous leaks, could be used to craft sophisticated phishing attacks via email and phone impersonating healthcare institutions.

Cybernews contacted the company regarding the discovered leak, and the open instance has been closed. An official comment has yet to be received.

Also, at the time of writing, Cybernews had no information about whether the affected individuals and healthcare providers had been informed about the leak.

ecaresoft data leak patient data
Leaked patient data

Company’s response

ADVERTISEMENT

eCaresoft stated that by the time of disclosure, their security team had already addressed the issue after previously receiving notice of the vulnerability. The company claims that leaked data contained no real patient information, as it was a test instance.

“The server was a non-production environment containing anonymized, randomly generated test data, not real patient data. As your article suggested, there was no risk of exposing sensitive patient information,” the company’s spokesperson said.

Threat actors are not always to blame

Sadly, it’s not uncommon for companies to make sensitive data public, potentially handing it to threat actors without the need for them to even lift a finger.

If access to Kibana or another widely used tool, Elasticsearch, is left without proper authentication, the data can be indexed by search engines and become accessible to anyone online. Threat actors are constantly scanning the internet, looking for unsecured databases to steal data.

Cybernews research has shown that leaks, where companies fail to secure access to digital infrastructure, are a very common and yet underestimated issue.

To give an example, earlier this year, Cybernews found a data leak that affected the entire Brazilian population. The open instance contained hundreds of millions of Cadastro de Pessoas Físicas (CPF) numbers, which are used to identify taxpayers in the country.

While eCaresoft reacted quickly to the disclosure and secured access, unfortunately, in many cases, companies are not responsive, and the data stays accessible to anyone for long periods of time.

While such leaks are most likely unintentional human errors, they might be causing significant damage and are a stark reminder that good cybersecurity practices are crucial.

Updated on 24th of October with the company's statement.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
US mental health clinic hack exposes tens of thousands
DDoSecrets publishes 410 GB of messages from hacked Signal clone used by Mike Waltz
Huawei’s latest laptop becomes the first foldable PC for a solid price
Your AI isn’t safe: How LLM hijacking and prompt leaks are fueling a new wave of data breaches
23andMe customer data will be used for drug research following acquisition, Regeneron says
Elton John slams UK's AI copyright plans as ‘criminal’
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked