Skip to Content
Photo © Thomaguery |
Security & privacy

400M+ medical records exposed in massive data breach – What it means for you

Update: After publication, a Deep 6 AI spokesperson reached out to Komando with this statement:

“Despite recent claims, no personal or patient health data was accessed, leaked or at risk from a Deep 6 AI proof-of-concept database.

In August, a security researcher accessed a test environment that contained dummy data from MIT’s Medical Information Mart of Intensive Care (MIMIC) system, an industry standard source for de-identified health-related test data. To confirm, no real patient data or records were included in this ephemeral test environment, and it was completely isolated from our production systems.

Based on current reporting, we have confirmed that the recent claims reference MIMIC data, and there was no access to real patient records. When the researcher notified us in August, we immediately secured the test environment to ensure there was no further concern.

Data security and privacy is a top priority at Deep 6 AI, and the responsibility to protect data is at the core of our business and top-of-mind for all our people.”

Hospitals are notorious for their lax cybersecurity protections. Case in point: Hackers just infiltrated a database of 422 million patient records. It all happened because no one protected the records with a password.

When it comes to hospitals, weak protections cause physical harm. In 2019, hospitals hit by ransomware dealt with malfunctions on life-saving devices. Tap or click here for the story of how cyberattacks led to an increase in fatal heart attacks.

Overall, security researchers discovered that 68.53GB of private data was exposed for all the world to see. Overall, 886.5 million total records were part of the breach. Since healthcare is a huge target, you need to stay safe from security risks like this.

What you need to know

Credit for this discovery goes to security researcher Jeremiah Fowler and the Website Planet research team. They discovered a non-password-protected medical database with 68.53GB of medical data. This exposed all sorts of information, including:

  • Patient IDs
  • Patient type
  • Physician names
  • Notes about patient illnesses, lab results, medicines and more
  • Date of service and much more

Some of this data was encrypted, but notes and other information on the physicians were in plain text. This is a problem because many physician notes in the database had intimate details about patients’ medications, treatments and more.

If you told your doctor about family, social or emotional issues, they may have written them down into this database. Since many notes were left unsecured, that means a stranger could read about depression, money issues and family conflict, for example. It depends on how much information the patients gave away.

“These were very complete descriptions and it was surprising just how many small details were included in these notes. It is a rare look behind the scenes of how these notes look and the kind of information that is collected by medical workers.”

Report: Medical AI Company Exposed Millions of Records Online from Website Planet

One patient was unable to stop sobbing during her meeting, the report says. The doctor wrote down her experience with social service workers as well as her medications.

This extremely private information was available for security researchers to discover. It begs the question: Who else could have read it?

On the bright side…

Here’s some good news: The Website Planet research team alerted the database involved in the breach. After they sent a responsible disclosure notice, the database restricted public access. That means the records, which seemed to contain data of patients in the U.S., are now restricted.

Another piece of good news is the team didn’t find an indication anyone else came across the patient records. Of course, that doesn’t rule out the possibility that other people saw it.

Skilled hackers who find exposures like this can break into encrypted files, attack companies with ransomware and more. Tap or click here to make sure ransomware doesn’t hit your business.

How to stay safe

Whenever you hear about big data breaches like this, you should check to see if you’re a part of it. You can head to sites like HaveIBeenPwned, for example.

It’s a free database that lets you input your phone number or email address to find out if your information is part of a leak. Tap or click here to see if your info is floating around the web.

You should also expect a spike in phishing attempts. Scammers who have your private information could call you and email you. They’ll try to throw you off your guard so you give up even more information, which could open the door for all kinds of havoc.

At best, they’ll trick you into giving them cash. At worst, they can steal your identity and frame you for crimes. Tap or click here for five subtle clues that an email is really a clever phishing scam.

Keep reading

These 151 apps were caught scamming millions of people

2 new ways your iPhone can be tracked without your consent

Tech smarts in 2 minutes a day

Get my Daily Tech Update and the Digital Life Hack. Just one minute each and arm you with the tech knowledge you need to impress your boss and friends with how smart you are.