A non-password protected database containing millions of healthcare records and 68.53GB of medical related data has been discovered by security researcher Jeremiah Fowler and the Website Planet research team.
The medical records in the exposed database contained patient IDs, physician notes and other detailed medical data on patients in the US. While some of this data was encrypted, the notes and information on physicians were in plain text.
The physician notes in the database provide intimate details of patient illnesses, treatments, medications, family, social and even emotional issues. In addition to being very complete descriptions, Fowler and the Website Planet research team were surprised by just how many small details were included in these notes.
In a new report, Website Planet warns that if the patient IDs in the database were decrypted and the identities of patients were exposed, it would be easy to see the medical issues or diagnoses of the patients whose medical data was left unsecured online.
Upon further investigation, Fowler and the Website Planet research team discovered multiple references to Deep6.AI including internal emails and usernames.
According to Deep6.AI's website, the company's software “identifies patients with conditions not explicitly mentioned in medical records”. As a result, its software is used to find patients who better match the criteria for medical trials in a fraction of the time it normally takes.
In total, Fowler and the Website Planet research team found 21m records exposing lab results and medicine details, 422m patient records and a provider index containing 89k records exposing physician names, internal patient ID numbers, document locations and CSV files and other potentially sensitive information. The database in question was also at risk of falling victim to a ransomware attack as it was publicly accessible to anyone with an internet connection.
After discovering the database, Fowler and the Website Planet research team immediately sent a responsible disclosure notice to Deep6.AI and public access was restricted shortly after. However, their discovery is yet another example of how leaving a database unsecured can put sensitive company and user data at risk online.