Health Genie, a healthcare IT solutions provider, left an open instance, exposing patients’ personal details as well as sensitive clinical data.
The India-based healthcare solutions provider left an open Amazon S3 bucket, exposing over 36 gigabytes of data, or nearly 450,000 documents, the Cybernews research team discovered.
Health Genie provides numerous health care services, such as finding doctors, booking appointments, electronic health record (EHR) systems, reporting and analytics, financial monitoring, and other services. The Health Genie app has over 100,000 downloads on the Google Play store.
According to the team, the exposed instance contained a trove of personal identifiable information (PII) and identifiable health records. The exposed bucket exposed:
- Patient bills
- Clinical notes
- Lab reports
- Appointment details (photos, screenings, etc.)
- Names
- Dates of birth
- Phone numbers
- Addresses
- Medical contract numbers
- Medical histories
- Payment details
The team identified that out of 450,000 exposed documents, 200,000 were those of the service's patients.
Worryingly, the dataset has been exposed for several months after researchers discovered the open instance and informed the company about the issue.
We contacted Health Genie for official comment but received no response before publishing.
Exposing personal medical data poses severe risks for affected individuals as attackers could use the information for identity theft, financial fraud, targeted phishing attacks, blackmail, and potentially compromise patients’ medical histories and personal information.
Individual healthcare data can be sold on dark web forums. For example, malicious actors can use medical details for medical identity theft, a type of fraud where threat actors use stolen information to submit forged claims to health insurers.
Your email address will not be published. Required fields are markedmarked