Unsecured MongoDB strikes again

Patients who attended clinical trials in Australia and New Zealand have had their personal information exposed due to an unsecured database, cybersecurity firm UpGuard warns.

A total of 37,170 individuals were impacted by the incident after a MongoDB database was left open for public viewing by an Australia-based healthcare organization, Neoclinical.

Neoclinical is said to match persons with active clinical trials, which meant that sensitive answers to screening questions were available for public viewing.

This included information pertaining to medical diagnoses, illicit drug use, and treatments, UpGuard said. Contact details were also exposed.

UpGuard confirmed in a blog post that the database has since been secured – although not without some dogged persistence on its part.

“The researcher called both phone numbers on Neoclinical’s website, one of which was disconnected and the other was configured to record a ten second message to be transcribed and sent as text,” UpGuard said.

“On July 25 the researcher escalated notification to AWS Security, which followed their standard procedure of responding that they would notify the owner of the database.

“On July 26, public access to the database was removed.”

The Daily Swig has reached out to UpGuard to learn whether it had uncovered any evidence of third party access by criminals or mischief makers in its investigation of Neoclinical’s exposed database.

In a statement to The Sydney Morning Herald on Wednesday, Neoclinical said that it had informed Australia’s Privacy Commissioner – now officially known as the Information Commissioner – of the data exposure.

“On receiving this advice we immediately shut down all access to the server,” a spokesperson said.

Australia’s year-old Notifiable Data Breach (NDB) scheme requires companies that handle healthcare information to report security incidents within a month of discovery, or face a potential fine of A$3 million ($2.1 million) of its annual turnover.

Organizations are additionally required to notify consumers if an incident is “likely to result in serious harm”. It’s unclear whether or not Neoclinical has taken these steps.

Neoclinical’s website is currently inaccessible, the Herald reports that this is a temporary measure taken as a precaution.

The news comes alongside fresh statistics from the Protenus Breach Barometer, which states that 285 data breaches was reported to the US Department of Health and Human Services (HHS) in the first half of 2019 alone.

This equated to 311,611,235 patient records affected by poor security practice, Prontenus said.

UpGuard believes that the healthcare market has a long way to go before it is considered secure for the digital age.

“For individuals, this [Neoclinical] case provides a reminder that whenever they pass information to a third party, they should consider the impact of that data being exposed,” it said.

“And for companies, it should highlight the importance of having an incident response capability so that when data leaks occur, they can be mitigated within hours rather than weeks.”

RELATED Security of popular kids’ tablet ‘quite concerning’, researchers find