An independent cybersecurity researcher in Europe said he discovered an online database that exposed the personal information of 2.3 million patients in Mexico, according to Infosecurity Magazine.
Bob Diachenko, who previously worked at the Kromtech Security Center in Germany, said he found the database Aug. 3 using Shodan, a search engine that enables users to find internet-connected devices. He detailed his findings in a LinkedIn blog post.
The database reportedly included personal data from patients in Mexico, including full name, data of birth, home address and insurance policy number. Upon analyzing the patient data, Mr. Diachenko alleged the database belonged to Hova Health, a telemedicine vendor based in Mexico City.
Mr. Diachenko argued the information exposure occurred after Hova Health misconfigured a MongoDB database. MongoDB is a free, open-source database program on which users store information, mostly in the form of documents.
Hackers have a history of targeting MongoDB databases that run on unsecured default settings or that haven't applied appropriate security protections, such as logins or passwords. In September 2017, three separate groups of hackers targeted roughly 26,000 databases on MongoDB with ransomware.
"It is unclear how long the data was publicly exposed or who else except myself had access," Mr. Diachenko wrote in his blog post. "This is yet another warning to any company or service provider that handles and stores personal medical data."
Mr. Diachenko said the database's administrators responded with the following statement after he notified them of the exposure: "All the areas that work on this project are reviewing exactly what happened and checking all our infrastructure to avoid this kind of events."
Editor's note: Becker's Hospital Review reached out to Hova Health for comment and will update as more information becomes available.