Misconfigured Elasticsearch Security Settings Exposes PHI of 137,000 Individuals

Approximately 137,000 individuals have had their data exposed online due to misconfigured security settings on an Elasticsearch database.

Security researcher Jeremiah Fowler discovered the exposed database. Fowler discovered that the database could be accessed through a simple Internet browser without any need for authentication or identity-verification due to incorrect configuration of security settings. Any unauthorised individual could access, download, or edit the database.

Fowler discovered that the patient information pertained to patients of SkyMed, an emergency evacuation service provider.

Fowler identified 136,995 individual records were publicly available in the database. The files included information such as names, addresses, phone numbers, email addresses, and dates of birth. Some records also contained medical information.

Fowler also noticed an entry in the database called “howtogetmydataback”. This suggests that a hacker may have launched a ransomware attack SkyMed in the past.

Fowler discovered the exposed database on March 27th and alerted SkyMed the same day. SkyMed did not respond to Fowler. However, despite no official acknowledgement of his email, Fowler confirmed on April 5th that the database had been secured and was no longer accessible to the public.

It is unclear whether, as a provider of travel services for medical emergencies, SkyMed is a HIPAA-covered entity and is therefore required to notify its subscribers in the event of the discovery that their personal information has been subjected to unauthorised access.

It is also unclear whether SkyMed has sent notifications to comply with data breach notification laws in Florida.

This is another in a string of Elasticsearch databases being compromised. Over 114 million records of US citizens and companies stored in misconfigured Elasticsearch databases were discovered to be available online in November 2018 alone.