The University of Chicago Medicine scrambled to secure a database containing information on patients as well as existing and potential financial donors, after a researcher discovered that a misconfiguration left nearly 1.68 million records exposed to the public.
Bob Diachenko, cyber threat intelligence director at Security Discovery, said in a June 3 company report that he found the open Elasticsearch database last May 28 while using the Shodan search engine. The 34GB cluster, named “data-ucmbsd2” reportedly contained 1,679,993 records with information that included individuals’ names, birth dates, addresses, phone numbers, email addresses, genders, marital statuses, and financial status, as well as communication notes.
Certain records also contained the names and clinical areas of physicians who treated patients listed in the database, UChicago Medicine acknowledged in its own June 3 press release. However, the database did not include information from patients’ medical records, nor did it hold financial information or Social Security numbers, the school asserted.
According to Diachenko, UChicago Medicine fixed the issue less than 48 hours after he privately disclosed the issue to the university.
UChicago Medicine said the information was exposed “when a vendor hosting the database accidentally misconfigured a server.”
“We are conducting a comprehensive forensic investigation and have determined that no unauthorized parties – beyond this security researcher – accessed the information in the database,” the university continued. “The researcher confirmed that he never downloaded the full database and only accessed a limited number of records.”
“The danger of having an exposed (passwordless) Elasticsearch or similar NoSql databases is huge,” stated Diachenko in his report, warning that a lack of authentication could allow attackers to install malware on the ES servers. “The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”