A Long Island, N.Y., medical practice left an exposed port normally used for remote synchronization open exposing at least 42,000 medical records.
UpGuard Director of Cyber Risk Research Chris Vickery found that port 873, normally used for remote synchronization and moving data between devices, on a server belong to the medical practice of Cohen Bergman Klepper Romano Mds PC open and configured for global access allowing anyone who knew the server's IP address to find the data. A secure server would only allow access from select IP addresses, UpGuard wrote.
The flaw allowed the patient names, Social Security numbers, ethnicity, insurance information, dates of birth, phone numbers and insurance information of the Huntington, N.Y. practice to be exposed. In addition, physician's personal information to include Social Security numbers and more than three million of the doctor's notes on their patients along with emails were also left unprotected, UpGuard said.
The unsecured server was found on January 25, 2018 and secured on March 19.
“Beyond the obvious sensitivity of any exposure of an individual's medical background, the leak of patient - and doctor - Social Security numbers, in association with personal details like home address, insurance information, and date of birth, provide ample ammunition for fraudsters. Armed with the contact information for patients, and the knowledge of which doctor's office they go to, malicious actors could also socially engineer exposed individuals, posing as a representative of the physicians to further extract sensitive information,” UpGuard reported.