Netherlands-based ethical hacker Jelle Ursem, in association with Databreaches.net, uncovered nine data breach incidents at multiple health care providers. The data breach exposed medical records of over 200,000 U.S. patients. In a security report, Ursem stated that the data leaks occurred after a developer exposed login credentials on the public software developer platform GitHub. The GitHub repositories included personally identifiable information (PII) and Protected Health Information of patients with a few simple searches.
The nine U.S. entities that were affected in the incident include, Xybion, MedPro Billing, Texas Physician House Calls, VirMedica, MaineCare, Waystar, Shields Health Care Group, AccQData, and one entity is left unnamed.
Negligent Developers
Databreaches.net revealed the commonly caused data leak errors caused by developers:
- Embedding hard-coded login credentials in code instead of making them a configuration option on the server the code runs on
- Using public repositories instead of private repositories
- Failing to use two-factor or multifactor authentication for email accounts and/or
- Abandoning repositories instead of deleting them when no longer needed
How to Avoid Leaks on GitHub
- Forcing password changes periodically
- Using 2FA or MFA for email accounts
- Prohibiting the use of public repositories by your developers and requiring the use of private repositories
- Prohibiting the use of hardcoded login credentials in repositories
“It took Ursem less than ten minutes to find that yes, medical data had been exposed on GitHub — and a lot of it. Ursem uses variations on simple search phrases like ‘company name password’ (or in this case, ‘medicaid password FTP’) to quickly find potentially vulnerable hardcoded login usernames and passwords for systems. After identifying potential targets, Ursem just logs in with the front door key. It does not matter if the credentials Ursem finds relate to a database, an Office365 or Gmail account or a Secure File Transfer host. You just point the right software at it and hit connect. It really is that simple,” the report said.
“Once logged in to a Microsoft Office365 or Google G Suite environment, Ursem is often able to see everything an employee sees: contracts, user data, internal agendas, internal documents, emails, address books, team chats, and more,” the report added.