Health Genie, a healthcare IT solutions provider based in India, has exposed patients’ personal details as well as sensitive clinical data.
Health Genie’s open Amazon S3 bucket exposed over 36 gigabytes of data, or nearly 450,000 documents, the Cybernews research team said.
Health Genie provides health care services, such as finding doctors, booking appointments, electronic health record (EHR) systems, reporting and analytics, financial monitoring, and other services. The Health Genie app has over 100,000 downloads on the Google Play store.
The exposed instance contained personal identifiable information (PII) and identifiable health records. The exposed bucket exposed:
Patient bills
Clinical notes
Lab reports
Appointment details (photos, screenings, etc.)
Names
Dates of birth
Phone numbers
Addresses
Medical contract numbers
Medical histories
Payment details
The team identified that out of 450,000 exposed documents, 200,000 were those of the service’s patients.
The dataset has been exposed for several months after researchers discovered the open instance and informed the company about the issue.
Exposing personal medical data poses severe risks for affected individuals as attackers could use the information for identity theft, financial fraud, targeted phishing attacks, blackmail, and potentially compromise patients’ medical histories and personal information.
Individual healthcare data can be sold on dark web forums. For example, hackers can use medical details for medical identity theft, a type of fraud where threat actors use stolen information to submit forged claims to health insurers.
