Thursday, 3 April 2025
25.7 C
Singapore
28.2 C
Thailand
20.8 C
Indonesia
26.9 C
Philippines

Health records of 5.3 million people exposed due to password error

5.3 million health records were exposed due to a password error, putting millions at risk of fraud and scams due to weak cybersecurity practices.

A recent data breach exposed the sensitive health records of 5.3 million people in Mexico. The breach occurred when a 500GB database belonging to a Mexican healthcare company was left unprotected due to a password mistake. Cybernews, an online research organisation, uncovered the exposed database on August 26, 2024.

The database held crucial information, including names, personal identification numbers (CURP), phone numbers, and detailed descriptions of payment requests. According to Cybernews, the breach affected around 4% of Mexico’s population, making it a significant security lapse.

How the breach occurred

The breach resulted from a “misconfigured” use of a popular data visualisation tool, Kibana. The tool was left unauthenticated, meaning anyone could access the data without a password. While this wasnโ€™t a deliberate hack by cyber criminals, it highlights how easily data can be exposed when proper security measures are not in place.

Ecaresoft, a Texas-based software provider known for cloud-based Hospital Information Systems, is the company responsible for this massive data exposure. Ecaresoftโ€™s products, including Anytime and Cirrus, are widely used in Mexico, serving more than 30,000 doctors, 65 hospitals, and 110 outpatient care centres. Their services help manage various healthcare tasks, such as booking appointments, handling medications, and maintaining inventories.

Unfortunately, the breach also exposed additional sensitive information, including users’ ethnicities, nationalities, religions, blood types, dates of birth, and email addresses. The amount charged for healthcare services, gender details, and hospital visits were also leaked.

There is no sign of malicious intent, but risks remain

Unlike many data breaches caused by hacking groups, this incident did not result from a deliberate cyberattack. The error was purely due to poor security practices and a lack of password protection. However, the lack of malicious intent does not mean the affected individuals are safe. Their government-issued identification numbers, equivalent to the U.S. Social Security numbers, were exposed, putting them at risk of phishing scams, wire fraud, and identity theft.

Despite the seriousness of the situation, official information needs to be provided about how long the database remained online or whether affected users have been informed. Ecaresoft has yet to release formal statements, leaving millions uncertain about the consequences.

A stark reminder of password security

This incident is a stark reminder of the importance of proper password management and online security. Weak or non-existent passwords can lead to catastrophic data breaches. The case of Ecaresoft isnโ€™t the first time a password error has led to a major data breach. One of the most notable cases was the Equifax breach in 2017, where hackers stole sensitive data after discovering that “admin” was being used as the companyโ€™s password.

Although this breach does not affect U.S. citizens, it is a clear lesson for everyone. Protecting your online data with strong, secure passwords is essential. With increasing personal and sensitive information being stored online, even a small mistake like a weak password can lead to severe consequences.

As more companies adopt cloud-based services and digital healthcare systems, the need for stringent cybersecurity measures becomes even more critical. For now, those affected by the Ecaresoft breach can only hope for a swift response from the company and the implementation of better security protocols in the future.

Editor’s note: This story has been updated with a response from Ecaresoft. Ecaresoft has clarified that the exposed server was a non-production environment containing anonymised, randomly generated test data, not real patient data. The company disputes the claim that over 5 million individuals are at risk and states that the reported exposure did not involve actual health records.

Hot this week

Sony unveils WF-C710N earbuds with improved battery life and noise cancellation

Sony announces the WF-C710N earbuds, which offer better battery life and noise cancellation, and new colours for the WH-CH720N and WH-CH520 headphones.

Nothing Phone (3a) Pro review: A mid-range marvel with standout zoom

Nothing Phone (3a) Pro blends standout design, powerful zoom camera, and smart features, making it a top choice in the mid-range segment.

Facebook introduces friends-only feed to cut out algorithmic content

Facebookโ€™s new Friends tab removes algorithmic recommendations, letting you see only posts from friends. It is now rolling out in the US and Canada.

NUS partners with Microsoft Research Asia to advance AI research and nurture future tech talent

NUS and Microsoft Research Asia partner to boost AI research and develop future computing talent through a joint PhD and industry collaboration.

Tenable reveals privilege escalation flaw in Google Cloud Run

Tenable uncovers a privilege escalation flaw in Google Cloud Run, exposing risks linked to inherited permissions and service interdependencies.

Qualcomm expands AI research with MovianAI acquisition

Qualcomm has acquired Vietnamese AI research firm MovianAI to boost its AI development in smartphones, PCs, and software-defined vehicles.

Roblox introduces new parental controls to enhance child safety

Roblox introduces new parental controls, allowing parents to block games, restrict friends, and monitor their childโ€™s activity for better safety.

Anthropic introduces Claude for Education, a new AI chatbot plan for universities

Anthropic launches Claude for Education, an AI chatbot plan for universities that offers advanced learning tools and administration support.

Exabeam introduces Nova, an agentic AI that boosts cybersecurity operations

Exabeam unveils Nova, a proactive AI agent that boosts security team productivity and reduces incident investigation time by over 50%.

Related Articles