A Dutch
security researcher has stumbled across nine data leak incidents involving medical
records belonging to cca 200,000 patients, and possibly many more – all due to
developer blunders on GitHub repositories.
Jelle Ursem,
an ethical hacker from the Netherlands, together with Databreaches.net, have
released a joint report detailing nine data leak incidents at various
healthcare providers, one health plan, as well as business associates or in third-party
relationships, all serving the medical sector.
On the
popular software developer platform GitHub, Ursem discovered with a few simple
searches that an alarming amount of sensitive data, including login
credentials, had been left exposed by negligent developers. Months after his
initial investigation into the leaks, Ursem teamed up with Databreaches.net to
put together a paper and disclose some of his findings concerning leaks of
protected health information on GitHub – but not before responsibly disclosing
his findings to the affected entities.
Only three
of the of the nine affected entities responded to the researchers’ disclosure
and patched their blunders. Some ignored his findings, while others even
threatened to pursue legal action against him – despite Ursem disclosing his
findings responsibly and giving the affected entities enough time to address
the leaks.
The report
mentions nine U.S. entities’ leaks of PHI, including Xybion, MedPro Billing,
Texas Physician House Calls, VirMedica, MaineCare, Waystar, Shields Health Care
Group, AccQData, and one entity left unnamed as one of the leaks had yet to be
secured at the time the report went live.
“For the 9 leaks, there were approximately 150,000 – 200,000 unique patients’ records exposed, and possibly many, many more, because Ursem did not sample or access everything that was exposed,” Databreaches.net reports.
All the
leaks allegedly occurred because developers:
- embedded hard-coded login credentials
in their code instead of making it a configuration option on the server the
code runs on - used public repositories instead of
private repositories - failed to use two-factor or
multifactor authentication for email accounts and/or abandoned repositories
instead of deleting them when no longer needed - Service providers also increased the
risk of leaks by failing to deploy IP address whitelists, not enforcing
password resets, and not providing responsible disclosure mechanism.
For those interested in staying abreast of common misconfigurations and best development practices, the full report can be found here: ‘No need to hack when it’s leaking – GitHub Healthcare Leaks – Protected Health Information on the Public Web.’