A non-password protected database (opens in new tab) containing millions of healthcare records and 68.53GB of medical related data has reportedly been discovered by security researcher Jeremiah Fowler (opens in new tab) and the Website Planet (opens in new tab) research team.
The medical records in the exposed database apparently contain patient IDs, physician notes and other detailed medical data (opens in new tab) on patients in the US. While some of this data was encrypted, the notes and information on physicians were in plain text.
The physician notes in the database provide intimate details of patient illnesses, treatments, medications, family, social and even emotional issues. In addition to being very complete descriptions, Fowler and the Website Planet research team were surprised by just how many small details were included in these notes.
In its report (opens in new tab), Website Planet warns that if the patient IDs in the database were decrypted and the identities of patients were exposed, it would be easy to see the medical issues or diagnoses of the patients whose medical data was left unsecured online.
Breach or no breach?
Upon further investigation, Fowler and the Website Planet research team discovered multiple references to Deep6.AI including internal emails and usernames.
According to Deep6.AI's website (opens in new tab), the company's software “identifies patients with conditions not explicitly mentioned in medical records”. As a result, its software is used to find patients who better match the criteria for medical trials in a fraction of the time it normally takes.
In total, Fowler and the Website Planet research team found 21m records exposing lab results and medicine details, 422m patient records and a provider index containing 89k records exposing physician names, internal patient ID numbers, document locations and CSV files and other potentially sensitive information. The database in question was also at risk of falling victim to a ransomware (opens in new tab) attack as it was publicly accessible to anyone with an internet connection.
After discovering the database, Fowler and the Website Planet research team immediately sent a responsible disclosure notice to Deep6.AI and public access was restricted shortly after. However, their discovery is yet another example of how leaving a database unsecured (opens in new tab) can put sensitive company and user data at risk online.
Following the publishing of our original story, a spokesperson from Deep6.AI reached out to TechRadar Pro with this statement on the matter:
"Despite recent claims, no personal or patient health data was accessed, leaked or at risk from a Deep 6 AI proof-of-concept database.
In August, a security researcher accessed a test environment that contained dummy data from MIT's Medical Information Mart of Intensive Care (opens in new tab) (MIMIC) system, an industry standard source for de-identified health-related test data. To confirm, no real patient data or records were included in this ephemeral test environment, and it was completely isolated from our production systems.
Based on current reporting, we have confirmed that the recent claims reference MIMIC data, and there was no access to real patient records. When the researcher notified us in August, we immediately secured the test environment to ensure there was no further concern.
Data security and privacy is a top priority at Deep 6 AI, and the responsibility to protect data is at the core of our business and top-of-mind for all our people."