Health database of 230k Indians leaked online

During 2019, incidents of medical information exposure were frequently reported due to incorrectly configured databases. This 2020 trend seems to continue, as WizCase cybersecurity researchers have just reported three medical databases exposing various personal details of citizens of multiple countries.

Among the databases exposed is one operated by an Indian medical company, which has exposed the confidential information of thousands users.

The databases were found during an investigation in collaboration with some medical companies. In this process, it was discovered that the databases were fully exposed, as they did not have encryption and did not need to use a password to enter. All affected companies have been already notified.

The affected companies, according to the latest cybersecurity report, are:

  • HX Wellness Private Limited (Aermed online pharmacy app) – India – Approximately 230 thousand exposed records, including patient and staff data
  • Mobile Health Pte Ltd (MaNaDr Mobile Health) – Singapore – About 842,000 records discovered, exposing details of patients and physicians
  • Instituto Zaldívar – Argentina – Nearly 8,600 records were found, with data leaks from ophthalmic patients

HX Wellness Private Limited

This firm, based in India, set up a 4 GB database, equivalent to more than 230,000 committed records, including confidential patient and medical staff information (including full names, age, location data, email, among others data). The solutions used by this company were from MongoDB and an Amazon Web Services bucket.  

Mobile Health Pte

Established in Singapore, this medical company exposed nearly 600 MB of confidential information, equivalent to 842 thousand records, most belonging to patients, including diagnostics, medical history, laboratory analysis, prescriptions and data Personal. The signature used an ElasticSearch server. In response to the report, the company released a statement stating that the exposed data belong to a test database, so they are not actual patient data.

Zaldivar Institute

This ophthalmological clinic based in Argentina exhibited a database with more than 72 MB of information, equivalent to 8 thousand 600 records, mostly belonging to patients of the clinic, including prescriptions and personal data.

Cybersecurity incidents that expose sensitive information are especially harmful, so these reports are essential to raising awareness among users and companies.