80,000 people who participated in the Nigeria HIV/AIDS Indicator and Impact Survey (NAIIS) in 2018 may have been compromised.
A cybersecurity firm ” WizCase” released lists of medical websites across the world whose database servers are insecure. Wizcase finds it troubling as medical data are very sensitive and should be kept private.
All databases were found to be unsecured as experts do not need password to access information leaving millions of patients and medical staff members exposed.
The research leader Avishai Efrat discovered nine unsecured medical databases in countries such as Saudi Arabia, Brazil, Canada, China, the United States, France and Nigeria. Although they vary in each particular case.
According to information security experts, because most are services provided by third parties, it is likely that the people affected do not even know that their data is in the hands of these companies. Whether we are aware or not, the security risks are real; these risks include widely known practices such as phishing, extortion email campaigns, phone and email fraud, and identity theft.
Information security experts were able to establish a detailed profile with regards to the company operating the databases.
What was affected in Nigeria?
All results of the 2018 HIV/AIDS Indicators and Impact Survey were exposed in the African country. In total, the database consists of 1 GB, equivalent to about 80 thousand records.The data leak included facility and hospital names; patients’ pregnancy status; laboratory results code and value; patients’ age; HIV validation first test date and time; HIV encounter data; medical observations of anonymous people taking the survey; etc.
This survey was made of 88,775 randomly-selected households in Nigeria, counting approximately 168,100 participants, ages 15-64 years and children, ages 0-14 years.
Other Countries affected are:
- Saudi Arabia: Health-applying software company Stella Technology exposed more than 4 GB of information belonging to nearly 300k patients, including multiple personal details, on an Elasticsearch server
- Brazil: The database exposed in Brazilian territory, operated by the company Biosoft Medical Software, has 3 GB of information, equivalent to almost 1.2 million records belonging to patients throughout the country
- Canada: In the case of Canada, the company involved is Dental Software, with its ClearDent solution. In this case, an 8 MB database, equivalent to nearly 60k exposed patients, was discovered on an Elasticsearch server
- China: Tsinghua University Faculty of Medicine exhibited a database of 650 MB, equivalent to 60k patient records from Tsinghua University Hospital and other medical centers in various Chinese cities
- United States: Deep Think Health, a company that provides a machine learning platform for the medical industry, exposed a 2.8 GB database, representing more than 700k records of patients and medical staff on an Elasticsearch server. The most sensitive cases involve the exposure of diagnoses and treatment of cancer patients
- France: The involved company in French territory is Essilor, dedicated to the design and manufacture of ophthalmological devices. The compromised database consists of 5.7 GB, including details of thousands of patients, optometrists and employees from various areas of the company.
“Some of these databases are from 3rd party companies that provide data management and insight for medical institutions. “Unfortunately, they might not understand the possible implications of handling sensitive data insecurely online.
According to Wizacse, “In addition to an invasion of privacy, there are several dangers that could occur should a scammer or hacker obtain some of the data which was exposed in the medical breaches”
Implication Of the Data leaks
With so much personal identifiable information out there such as name,date of birth, address e.t.c , scammers can still ones identity
Since many of these leaks included an email address and some PIIs, a skilled scammer had enough information to write a believable email with a harmful link in it. Whether they reference the type of medication you’re on, the hospital you’re visiting, or the disease you’re suffering from it would instantly be seen as credible due to the belief of privacy.
Much like the email phishing scams, once a skilled scammer has your phone number and enough private information, they will be able to devise a credible sounding scam to take advantage of unsuspecting victims. They especially seek out sick and vulnerable “marks” for their scams because they are more likely to believe a caller with some details about their condition. These leaks gave the scammers an entire database of targets to victimize.
Scammers can use the personal information from the data leak to blackmail patients who want to keep their illness or the medicine they are taking a secret. Revealing it could threaten their jobs, family life, and financial security.
Scammers can use the information they collected, such as unedited photos of drug prescriptions, and reproduce the details for fraudulent activities. They can also pretend to be one of the patients in the database and use the information they found to commit fraud.
Data leaks such as this shows how little we have control over our personal information.It is important to note that your personal information may be out there and cyber criminals will use this to build trust by posing from a legitimate entity to get more information from you Never trust any caller regardless of who or what they identify themselves at.