Breach, Data Security

UChicago Medicine secures database after publicly exposing info on donors and patients

The University of Chicago Medicine scrambled to secure a database containing information on patients as well as existing and potential financial donors, after a researcher discovered that a misconfiguration left nearly 1.68 million records exposed to the public.

Bob Diachenko, cyber threat intelligence director at Security Discovery, said in a June 3 company report that he found the open Elasticsearch database last May 28 while using the Shodan search engine. The 34GB cluster, named "data-ucmbsd2" reportedly contained 1,679,993 records with information that included individuals' names, birth dates, addresses, phone numbers, email addresses, genders, marital statuses, and financial status, as well as communication notes.

Certain records also contained the names and clinical areas of physicians who treated patients listed in the database, UChicago Medicine acknowledged in its own June 3 press release. However, the database did not include information from patients' medical records, nor did it hold financial information or Social Security numbers, the school asserted.

According to Diachenko, UChicago Medicine fixed the issue less than 48 hours after he privately disclosed the issue to the university.

UChicago Medicine said the information was exposed "when a vendor hosting the database accidentally misconfigured a server."

"We are conducting a comprehensive forensic investigation and have determined that no unauthorized parties – beyond this security researcher – accessed the information in the database," the university continued. "The researcher confirmed that he never downloaded the full database and only accessed a limited number of records."

"The danger of having an exposed (passwordless) Elasticsearch or similar NoSql databases is huge," stated Diachenko in his report, warning that a lack of authentication could allow attackers to install malware on the ES servers. "The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.