COVID-19 Testing Service Exposes 50,000 Patients’ Personal Info on The Web
Premier Diagnostics was storing sensitive data belonging on a publicly accessible server.
A company based in Utah, called Premier Diagnostics was storing sensitive data belonging to its customers on a publicly accessible server.
Premier Diagnostics is a COVID-19 testing facility for individual patients, clinics, schools, and businesses, that serves primarily residents of Utah.
The researchers at Comparitech, the company that found the vulnerability, are saying that the negligence could lead to a potential data breach for over 50,000 customers.
This data could be in anyone’s hands now.
So, your ID and your medical card are probably somewhere on the dark web.
What data could’ve been leaked?
For the customers to get tested for COVID-19, they must submit front and back pictures of their insurance ID cards and other identification documents like driver’s licenses, passports, or other forms of ID. The company was taking a photo, front and back of their ID, and a photo of the front and back of their medical insurance card.
How could this data be accessed by hackers?
They had stored all that data on a server that was publicly accessible online without a password.
Heimdal™ Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
It looks like everyone with the right know-how could access all of the personal and private data with minimal effort, but for the time being, it’s unknown if any malicious parties got their hands on the sensitive data.
We don’t know for sure that any malicious parties got to it, but we’ve run honeypot experiments before where we see activity on that sort of unsecured data within a matter of hours.
It took them a few days to get it secured.
The issue was discovered by a researcher, who is in charge of scanning the internet for unsecured databases, on the 22nd of February, the data was then secured on March 1st, which means that the sensitive content was exposed for almost a whole week.
It’s low-hanging fruit; it’s really easy.
They use the same tools that we do, that we use to find the database in the first place, they use the same tools to find it and steal it.
Luckily it looks like no payment information was associated with the data existing in the database, but consistent with the type of data the threat actors allegedly could have extracted, an SQL injection is probably the way in which they could get the informations.