Jeremiah Fowler, a researcher with Security Discovery recently found an unprotected Elasticsearch databased owned by a company called SkyMed on the internet. According to his findings the database was configured such that it was open and visible to any browser. This allows anyone who stumbles across it to edit, download, or even delete data without administrative credentials.
The database contained a total of 136,995 patient records with histories going back thirty years in some cases.
It also included a variety of personally identifiable information such as:
- Patient full name
- Email address
- Date of birth
- Phone numbers
- In some cases, detailed medical information
Mr. Fowler promptly contacted SkyMed to inform them of the discovery. To their credit, the company promptly took the database offline. They did not, however, make a formal reply to Mr. Fowler. They have not, to this point, reached out to any of the patients whose names and personal information appeared in the database.
In addition to the unprotected database, Mr. Fowler discovered forensic evidence that indicated the company's network may have been infected with an unknown ransomware strain. Again, however, the company has maintained total silence and has not contacted anyone, including their customers or impacted patients with details.
This complete lack of response is highly unusual. On the heels of such an incident, we normally see a formal acknowledgement, an apology, a statement to the effect that the company is working with law enforcement and possibly engaging the services of a third party to assist with the investigation. In addition to that, companies almost always make some effort to reach out to impacted parties to warn them of the dangers, advise of next steps they can take and offer free credit protection.
None of that has happened thus far, which could prove to be disastrous for SkyMed. In the absence of those steps, it's difficult to see how the company's customers can trust them going forward. In any case, be advised that if you are in any way reliant on SkyMed for any part of your care, there's a chance your personally identifiable data was exposed.