UPDATE: VPNOverview previously reported a medical data breach affecting a patient database belonging to electronic records and hospital system Bahmni. Since publication, it has come to our attention that the authenticity of the patient data involved cannot be confirmed. It is likely that the database contains fictitious test data, designed to mimic real patient data.
Furthermore, Bahmni issued the following statement in response to our earlier reporting:
“We have investigated the claims made and our analysis shows that there has not been a data breach. The Patient DB backup in question is our testing DB that was meant for functional and performance testing of Bahmni products. The data in the DB (including usernames and passwords) is fake and anonymized to guarantee that there is no personal identifiable information but useful enough for product testing & user training purposes. This is similar to a lot of other open source libraries like https://fakerjs.dev/, that allow teams to create fake realistic looking data.”
After further investigation, we want to emphasize that the discovered data likely does not involve real patient information. The report has largely been pulled offline, with the timeline remaining, as well as additional information on various recent medical breaches.
Timeline
This is the timeline of events:
Event | Date | Time |
---|---|---|
VPNOverview discovered the accessible database | September 19, 2022 | 11:20 AM |
Our team notified Bahmni about the unsecured database | September 20, 2022 | 7:49 PM |
We received an email response from Bahmni | September 21, 2022 | 7:38 AM |
Bahmni closed the possible breach | September 21, 2022 | 11:57 AM |
Despite requests for additional commentary, Bahmni could not answer any additional queries about the discovered data. It was only many weeks later, after the publication of the report, Bahmni reached out stating that it most likely was a database with test data.
Securing Electronic Medical Records (EMRs)
The use of electronic medical records (EMR) software and integrated solutions is expected to surge through 2030. Hospitals and healthcare systems record patient data using EMR, and the ease of data sharing enables more accurate diagnosis and treatment.
Since EMRs are very sensitive, it is important they remain secure. Cybercriminals can use medical records to launch social engineering scams or phishing attacks tailored specifically for individuals.
Fairly recently, we’ve seen sensitive patient records splashed on the dark web by hackers. Following an October ’22 cyberattack where hackers stole 9.7 million patient records, Australian healthcare provider Medibank refused to pay a ransom. Cybercriminals then set an ultimatum — pay the ransom within 24 hours, or patient data would be leaked. Hackers went through with their threat, releasing data of patients who had been treated for sensitive issues such as addiction or eating disorders.
Clearly, it is dangerous to leave laying around in an open bucket. Companies have got to be careful with EMRs and personal data. Still, it isn’t uncommon for companies to store their data in publicly accessible AWS buckets, as our research on Moss Adams and Resileo has shown.