Health care information found residing on the exposed database was also indexed by the IoT search engine Shodan and could be viewed by anyone without a password.
Health care information found residing on the exposed database was also indexed by the IoT search engine Shodan and could be viewed by anyone without a password.

A MongoDB database containing the health care information of more than 2 million patients in Mexico was left exposed, revealing sensitive patient information.

On Aug. 3, 2018, security researcher Bob Diachenko, discovered the database containing full names, CURP numbers (a unique identity code for both citizens and residents of Mexico), insurance policy numbers and expiration dates, dates of birth, home addresses, and the "disability and migrant flags" of 2,373,764 patients -- and even hashed/salted passwords for admin accounts and emails.

The information was also indexed by the IoT search engine Shodan and was viewable and accessible to anyone without a password.

All of the patient information Diachenko viewed was related to the state of Michoacán, but the researcher was unable to determine who left the database unsecured.

Diachenko said the information appeared to be owned by Hova Health company, a telemedicine company "focused on two main areas: Telemedicine (Teleradiology - Telehealth) and software development for the health sector." 

"Issues with MongoDB have been known since at least March of 2013 and have been widely reported since," Diachenko posted online. "The company has updated its software with secure defaults and has released security guidelines. "It's been five years now and these unsecured databases are still widely available on the Internet, almost 54,000 of them now, according to Shodan."

David Johansson, principal consultant at Synopsys, pointed out this isn't the first time and incident like this has occurred.

“A very similar incident affected Mexican voter records a few years ago, where data about 93.4 million voters were exposed from a misconfigured MongoDB server,” Johansson said. “The reason this happens is often because someone installs a MongoDB database without configuring it securely, and unfortunately MongoDB had many insecure default settings that are not suitable for a production environment.”

Among these insecure defaults includes the database server being exposed on all network interfaces by default, meaning it's directly exposed to hackers if the server is connected to the internet and not protected properly. MongoDB database also doesn't require authentication to connect by default, meaning anyone with network access to the database server can query and retrieve data from it

Johansson said these are two of the most important settings that need to be changed and configured securely when installing MongoDB on internet facing serves.

Ryan Wilk, VP of customer success for Nudata Security added that any time data is left unprotected it represents an issue for the organization in question as well as the individual -- adding that healthcare data can be particularly damaging to those involved.

“This kind of PII is among the most sensitive that you can imagine, and provides insight into an individual that cybercriminals could use for further cybercrime such spear phishing, blackmail or even identity fraud,” Wilk said. “The database, which was not even password protected, is a telling example of why organizations need to move past the password/username model of authentication..."

It's unclear how long the information has been exposed.