Update: A representative from Ecaresoft has reached out to Digital Trends and claimed that the initial Cybernews report had some inaccurate information in it. The first sticking point from Ecaresoft was that the affected server was “a non-production environment, containing anonymized, randomly generated test data, not real patient data.” If that’s true, there was no actual risk of exposed patient data. Ecaresoft also claims that the reported number of records “exceeds the total number of records we have in our system at this time.”
Our story as published on October 23 is below:
Cybernews reports its research teams found a 500GB unprotected database of a Mexican health care company on August 26, 2024. The database exposes sensitive information such as names, personal identification numbers (CURP), phone numbers, descriptions of payment requests, and more.
The total amount of affected people adds up to 5.3 million, making up approximately 4% of the country’s population, as Cybernews notes. The Cybernews report indicates that the security mistake occurred with a “misconfigured” use of a data visualization tool called Kibana, which appears to have been left unauthenticated.
The massive volume of data was later credited to Ecaresoft, a Texas-based software company behind cloud-based Hospital Information Systems such as Anytime and Cirrus. More than 30,000 doctors, 65 hospitals, and 110 outpatient care centers use Ecaresoft services to manage tasks such as appointment booking, medicine management, inventory management, and more.
Other stolen data includes ethnicities, nationalities, religions, blood types, dates of birth, gender, email addresses, the amount charged for health care services, and the hospitals visited. This time around, threat actors are not to blame as the cause. There is no official information about whether the affected users are aware of the situation or how long the database (now taken down) was up and running.
The affected users’ health records were not taken, but with their Mexican government identification (equivalent to the U.S. Social Security number) at risk, they are exposed to wire fraud and phishing (among other things). The company has yet to release a statement about the unprotected data, but hopefully, we’ll hear something official soon. When data is left unprotected, it can be indexed by search engines and taken by threat actors who are constantly scanning the internet for these types of unprotected files.
While those in the U.S. don’t need to worry about their personal information being compromised in this instance, it shows just how important password security is. An easy-to-guess password makes you as vulnerable as no password at all. Another one of the worst password mistakes in the past decade was Equifax, the 2017 data breach that, due to using “admin” as their password, made it easy for hackers to steal their data.
