Over two million Mexican patients affected
Enterprise network security experts from the International Institute of Cyber Security report that a MongoDB database storing health care information of more than 2 million patients in Mexico was exposed, revealing patient’s sensitive information.
Last 3 August, enterprise network security investigators found the information published online; the database includes full names, CURP (a unique identity code for Mexico citizens and residents), insurance policy numbers and expiration dates, dates of birth and addresses of 2,373,764 patients, and even found database administrator and email passwords.
The information was also indexed by the Internet of Things (IoT) search engine Shodan and was visible and accessible, no password needed. All patient information was related to the state of Michoacán, but security specialists in enterprise network security could not determine who left the database unprotected. The research indicated that the information was owned by the company Hova Health, an organization focused on two main areas: telemedicine and software development for the health sector.
“Problems of this kind have been present in MongoDB at least since March 2013”, say the research managers. “The company updated its software and constantly posted security guidelines. However, it has been five years and these databases have still been found available on the Internet, about 45K must be around nowadays”, according to specialists in enterprise network security.
In related news, a similar incident affected several Mexican voter registrations a few years ago, in which data of 93 million voters were exposed by a poorly configured MongoDB server. According to enterprise network security experts, this may often happen because someone installs a MongoDB database without configuring it in a secure way.
Among MongoDB’s failures, it’s remarkable that database servers are exposed by default on all network interfaces, which means that they are directly exposed to hackers if the server is connected to the Internet and is not properly protected. The MongoDB database also does not require authentication to connect by default, which means that anyone with access to the database server can query and retrieve data from it.
Enterprise network security specialists add that every time a data-management company ignores the appropriate protection measures, the organization in question will face problems. “This kind of personal information is among the most sensitive you can imagine, and provides details about an individual that hackers could use to commit cyber crimes like spear phishing, blackmail or even identity fraud”, as mentioned by the specialists. “The database, which was not even password protected, is a clear example of why organizations need to transcend the username/password authentication scheme, added the enterprise network security experts.