Skip to Content
Security & privacy

Wow! Millions of medical records were easily available to would-be hackers

When we go to the hospital or doctor’s office we do so because we need some medical attention. Our primary focus is getting better, with perhaps a secondary thought on how much that will actually cost.

After that though we probably don’t think about much else, least of all the information we handed over to the doctors. Whether it’s the form we fill out upon arrival or anything else that gets entered into a system, it’s just kind of the thing we do.

The data we provide is entered into a computer system, with one version of medical software — OpenEMR — being among the most popular. Open source, it is used by offices around the world to do everything from store records to billing patients and handling schedules.

Turns out there was a problem with the software

Like anything else online, there was always the possibility of hacks and other issues. In this case, security researchers found more tan 20 bugs in the software, with many of the vulnerabilities being really bad.

Essentially, an estimated 90 million patients had their personal information exposed to bad actors.

The issue was discovered by researchers at Project Insecurity, who noted OpenEMR was pretty terrible when it came to security before an audit led to them recommending a variety of fixes. The firm contacted OpenEMR in July to discuss what it found, which should hopefully lead to some improvements.

What needs to be fixed? Well, OpenEMR’s software allowed for patient portal authentication bypass, SQL injection, unauthenticated information disclosure, unrestricted file upload, remote code execution, CSRFs, unauthenticated administrative actions and arbitrary file actions in import_template.php.

A total of 18 bugs received the designation of having “high” severity and could have been exploited by hackers who had low-level access to systems that were running the software.

What’s been done to correct the issue?

The good news is it does not appear there was any hack or breach, just that the possibility for one was very much in the open. But near as anyone can tell, nothing came of this.

Instead, the problem was corrected before it became disastrous, which is a nice change of pace with this kind of story.

Upon learning of the problem, OpenEMR has issued patches to users and cloud customers. The software company’s project administrator told the BBC they take security very seriously, and therefore considered the report to be of a very high priority.

Medical identity theft is a real problem, though

While it may not be the most high-profile of data thefts, medical identity theft can be real problematic for those who are victimized. Just think about all the information that could be taken, and then consider what it could lead to.

Anyone with your information could submit fraudulent claims to Medicare and other health insurance providers without your knowledge, and thereby disrupt your medical care and ruin your credit score. That’s along with all else they could do, especially if they have your name, address, Social Security number and the like.

Refer friends, earn rewards

Share your source of digital lifestyle news, tips and advice with friends and family, and you'll be on your way to earning awesome rewards!

Get started