MediExcel exposes 500K patient documents

MediExcel, a US-based healthcare provider, left an open instance exposing over half a million patient documents, including diagnoses and claim forms.

With healthcare providers among the top targets for cybercriminal groups, safeguarding medical data is of crucial importance. However, the Cybernews research team has discovered hundreds of thousands of medical documents left open for anyone to access.

The team discovered an Amazon S3 (simple storage service) bucket owned by MediExcel. The company offers a health plan with health benefits to employers in San Diego and Imperial County.

The open instance contained over 555,000 exposed documents, including:

  • Copies of registration forms
  • Diagnoses
  • Medical bills
  • Invoices
  • Insurance claims
Data sample.
Sample of the leaked data. Image by Cybernews.

Individual healthcare data can be sold for hundreds of dollars on dark web forums. Malicious actors can use medical details for medical identity theft, a type of fraud where threat actors use stolen information to submit forged claims to Medicare and other health insurers.

Meanwhile, other personally identifiable information (PII) may be used to commit fraud, from identity theft and phishing attacks to opening new credit accounts, making unauthorized purchases, or obtaining loans under false pretenses.

“Threat actors could exploit this information for identity theft, insurance fraud, or even extortion. The leak of medical documents and invoices could lead to patient privacy breaches and potential misuse of their health information, which could have severe legal and ethical implications,” our researchers said.

According to the team, most of the exposed information reveals sensitive details about MediExcel’s patients. Exposed information indicates that the dataset may have been accessible from May 2023 through April 2024. The data was exposed due to an AWS S3 access control list misconfiguration.

The dataset is no longer accessible to the public. Cybernews has contacted MediExcel for an official statement but did not receive a reply before publishing.

More from Cybernews:

LockBit gang leader exposed in FBI ransomware breakthrough

Six arrested for crypto scam, over €750K seized

FBI warns of fraudsters targeting gift card systems

The next chapter in air travel: facial recognition and privacy concerns

FOMO over Netflix water cooler chats driving new subscriber surge

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked