All your analyzes are in the public domain

Hello again! I again found an open base with medical data for you. Let me remind you that quite recently there were three of my articles on this topic: leakage of personal data of patients and doctors from the online medical service DOC +, Vulnerability of the Doctor Nearby service и ambulance station data leak.

This time, the Elasticsearch server with the logs of the medical IT system of the laboratory network turned out to be in the public domain.Center for Molecular Diagnostics"(CMD, www.cmd-online.ru).

Дисклеймер: вся информация ниже публикуется исключительно в образовательных целях. Автор не получал доступа к персональным данным третьих лиц и компаний. Информация взята либо из открытых источников, либо была предоставлена автору анонимными доброжелателями.

The server was discovered on the morning of April 1st and it didn't seem funny to me at all. An alert about the problem went to CMD at about 10 am (Moscow time) and around 15:00 the base became unavailable.

According to the Shodan search engine, this server first came into open access on 09.03.2019/XNUMX/XNUMX. About that how open Elasticsearch databases are discovered, I wrote a separate article.

Very sensitive information could be obtained from the logs, including Full name, gender, dates of birth of patients, full names of doctors, cost of studies, study data, files with screening results and much more.

An example of a log with the results of patient analyzes:

"<Message FromSystem="CMDLis" ToSystem="Any" Date="2019-02-26T14:40:23.773"><Patient ID="9663150" Code="A18196930" Family="XXX" Name="XXX" Patronymic="XXX" BornDate="XXX-03-29" SexType="F"><Document>Паспорт</Document><Order ID="11616539" Number="DWW9867570" State="normal" Date="2017-11-29T12:58:26.933" Department="1513" DepartmentAltey="13232" DepartmentName="Смайл Элит" FullPrice="1404.0000" Price="1404.0000" Debt="1404.0000" NaprOrdered="2" NaprCompleted="2" ReadyDate="2017-12-01T07:30:01" FinishDate="2017-11-29T20:39:52.870" Registrator="A759" Doctor="A75619" DoctorFamily="XXX" DoctorName="XXX" DoctorPatronymic="XXX"><OrderInfo Name="TEMP_CODE">0423BF97FA5E</OrderInfo><OrderInfo Name="Беременность">-1</OrderInfo><OrderInfo Name="Пин">DWW98675708386841791</OrderInfo><OrderInfo Name="СкидкаНаЗаказ">0</OrderInfo><OrderInfo Name="СМКдействителенДо">18.03.2019</OrderInfo><OrderInfo Name="СМКсертификат">РОСС RU.13СК03.00601</OrderInfo><Serv Link="1" PathologyServ="1" Code="110101" Name="Общий анализ мочи (Urine test) с микроскопией осадка" Priority="NORMAL" FullPrice="98.0000" Price="98.0000" ReadyDate="2017-11-30T07:30:01" FinishDate="2017-11-29T20:14:22.160" State="normal"/><Serv Link="2" Code="300024" Name="Пренатальный скрининг II триместра беременности, расчет риска хромосомных аномалий плода, программа LifeCycle (DELFIA)" Priority="NORMAL" FullPrice="1306.0000" Price="1306.0000" ReadyDate="2017-12-01T07:30:01" FinishDate="2017-11-29T20:39:52.870" State="normal"/><Probe ID="64213791" Number="3716965325" Date="2017-11-29T00:00:00" OuterNumber="66477805" Barcode="3716965325" Biomater="66" BiomaterName="Кровь (сыворотка)" Type="physical"><Probe ID="64213796" Number="P80V0018" Date="2017-11-29T12:58:26.933" Biomater="66" BiomaterName="Кровь (сыворотка)" WorkList="80" WorkListName="Пренатальный скрининг" Type="virtual"><Param State="Valid" User="A872" UserFIO="XXX" UserStaff="Врач КЛД" Code="3005" guid="7BA0745FD502A80C73C2CAD341610598" Name="Пренатальный скрининг II триместра беременности, расчет риска хромосомных аномалий плода, программа LifeCycle (DELFIA)" Group="ПРЕНАТАЛЬНЫЙ СКРИНИНГ" GroupCode="80" GroupSort="0" Page="1" Sort="2"><LinkServ IsOptional="0">2</LinkServ><Result Name="Пренатальный скрининг II триместра беременности, расчет риска хромосомных аномалий плода, программа LifeCycle (DELFIA)" Value="Готов (см.приложение)" User="A872" UserFIO="XXX" Date="2017-11-29T20:39:03.370" isVisible="1" HidePathology="0" IsNew="0"><File Name="Пренатальный скрининг 2 триместр_page1.png" Type="image" Format="png" Title="3716965325_prenetal2_page1" Description="Пренатальный скрининг 2 триместр_page1" Sort="1">iVBORw0KGgoAAAANSUhEUgAABfoAAAfuCAIAAAArOR8rAAD//0lEQVR4Xuy9P7BtQ7u+/e3oECF6iRAhQoQI0SZCtIkQIdpEiBCxI0SIECFiV50qRKg6VYgQIUKEiDfiRL7rnPtXz+nqHnPMsfb6s+cc61rBqjl79Oh++uoe/eceT/c8888///

I've padded all sensitive data with an "X". In reality, everything was kept in the open.

From such logs it was easy (by transcoding from Base64) to get PNG files with screening results, already in a readable form:

The total size of the logs exceeded 400 MB and in total they contained more than a million entries. It is understood that not every record was unique patient data.

Official response from CMD:

We would like to thank you for the promptly provided information on 01.04.2019/XNUMX/XNUMX about the presence of a vulnerability in the Elasticsearch error logging and storage database.

Based on this information, our employees, together with specialized specialists, had limited access to the specified database. The error of transferring confidential information to the technical database has been fixed.

During the analysis of the incident, it was possible to find out that the appearance of the specified database with error logs in the public domain occurred due to a human factor. Access to the data was promptly closed on 01.04.2019/XNUMX/XNUMX.

At the moment, internal and external specialists involved are taking measures for an additional audit of the IT infrastructure for data protection.

Our organization has developed a special regulation for working with personal data and a system of tiered responsibility of personnel.

The current software infrastructure assumes the use of the Elasticsearch database for error storage. To improve the reliability of some systems, the corresponding servers will be migrated to our partner's data center, to a certified hardware and software environment.

Thank you for the timely information provided.

News about information leaks and insiders can always be found on my Telegram channel "Information leaks».

Source: habr.com