Elasticsearch medical breach

A health company’s unprotected server exposed over six million health records in the last 12 months.

Meditlab, an electronic medical record company, left a server for electronic faxes completely unprotected since bringing it online in March 2018. This meant that any information transmitted between medical offices, including records, doctor’s notes, prescriptions, and patient names, addresses, health insurance information and Social Security numbers were accessible to outside parties.

Meditlab has declined to comment in detail, instead releasing a statement from general counsel that the company was reviewing “logs and records to access the scope of any potential exposure.”

The exposure was discovered and reported to TechCrunch by SpiderSilk, a Dubai-based cybersecurity firm. The patient data was on a server running Elasticsearch, a search engine commonly configured for internal use at companies and government organizations.

Many server administrators assume Elasticsearch is for internal use only, and as a result it’s often left without even rudimentary security settings which has led to several of the biggest data leaks within the last six months, including the personal information of 4 million internship applicants, 2.4 million Dow Jones & Co. clients, the Brazilian government and many others.