MediExcel exposes 500K patient documents


MediExcel, a US-based healthcare provider, left an open instance exposing over half a million patient documents, including diagnoses and claim forms.

With healthcare providers among the top targets for cybercriminal groups, safeguarding medical data is of crucial importance. However, the Cybernews research team has discovered hundreds of thousands of medical documents left open for anyone to access.

The team discovered an Amazon S3 (simple storage service) bucket owned by MediExcel. The company offers a health plan with health benefits to employers in San Diego and Imperial County.

ADVERTISEMENT

The open instance contained over 555,000 exposed documents, including:

  • Copies of registration forms
  • Diagnoses
  • Medical bills
  • Invoices
  • Insurance claims
Data sample.
Sample of the leaked data. Image by Cybernews.

Individual healthcare data can be sold for hundreds of dollars on dark web forums. Malicious actors can use medical details for medical identity theft, a type of fraud where threat actors use stolen information to submit forged claims to Medicare and other health insurers.

Meanwhile, other personally identifiable information (PII) may be used to commit fraud, from identity theft and phishing attacks to opening new credit accounts, making unauthorized purchases, or obtaining loans under false pretenses.

“Threat actors could exploit this information for identity theft, insurance fraud, or even extortion. The leak of medical documents and invoices could lead to patient privacy breaches and potential misuse of their health information, which could have severe legal and ethical implications,” our researchers said.

According to the team, most of the exposed information reveals sensitive details about MediExcel’s patients. Exposed information indicates that the dataset may have been accessible from May 2023 through April 2024. The data was exposed due to an AWS S3 access control list misconfiguration.

The dataset is no longer accessible to the public. Cybernews has contacted MediExcel for an official statement but did not receive a reply before publishing.

ADVERTISEMENT