Hello again! I again found an open base with medical data for you. Let me remind you that quite recently there were three of my articles on this topic:
This time, the Elasticsearch server with the logs of the medical IT system of the laboratory network turned out to be in the public domain.Center for Molecular Diagnostics"(CMD, www.cmd-online.ru).
ΠΠΈΡΠΊΠ»Π΅ΠΉΠΌΠ΅Ρ: Π²ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ Π½ΠΈΠΆΠ΅ ΠΏΡΠ±Π»ΠΈΠΊΡΠ΅ΡΡΡ ΠΈΡΠΊΠ»ΡΡΠΈΡΠ΅Π»ΡΠ½ΠΎ Π² ΠΎΠ±ΡΠ°Π·ΠΎΠ²Π°ΡΠ΅Π»ΡΠ½ΡΡ
ΡΠ΅Π»ΡΡ
. ΠΠ²ΡΠΎΡ Π½Π΅ ΠΏΠΎΠ»ΡΡΠ°Π» Π΄ΠΎΡΡΡΠΏΠ° ΠΊ ΠΏΠ΅ΡΡΠΎΠ½Π°Π»ΡΠ½ΡΠΌ Π΄Π°Π½Π½ΡΠΌ ΡΡΠ΅ΡΡΠΈΡ
Π»ΠΈΡ ΠΈ ΠΊΠΎΠΌΠΏΠ°Π½ΠΈΠΉ. ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ Π²Π·ΡΡΠ° Π»ΠΈΠ±ΠΎ ΠΈΠ· ΠΎΡΠΊΡΡΡΡΡ
ΠΈΡΡΠΎΡΠ½ΠΈΠΊΠΎΠ², Π»ΠΈΠ±ΠΎ Π±ΡΠ»Π° ΠΏΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»Π΅Π½Π° Π°Π²ΡΠΎΡΡ Π°Π½ΠΎΠ½ΠΈΠΌΠ½ΡΠΌΠΈ Π΄ΠΎΠ±ΡΠΎΠΆΠ΅Π»Π°ΡΠ΅Π»ΡΠΌΠΈ.
The server was discovered on the morning of April 1st and it didn't seem funny to me at all. An alert about the problem went to CMD at about 10 am (Moscow time) and around 15:00 the base became unavailable.
According to the Shodan search engine, this server first came into open access on 09.03.2019/XNUMX/XNUMX. About that
Very sensitive information could be obtained from the logs, including Full name, gender, dates of birth of patients, full names of doctors, cost of studies, study data, files with screening results and much more.
An example of a log with the results of patient analyzes:
"<Message FromSystem="CMDLis" ToSystem="Any" Date="2019-02-26T14:40:23.773"><Patient ID="9663150" Code="A18196930" Family="XXX" Name="XXX" Patronymic="XXX" BornDate="XXX-03-29" SexType="F"><Document>ΠΠ°ΡΠΏΠΎΡΡ</Document><Order ID="11616539" Number="DWW9867570" State="normal" Date="2017-11-29T12:58:26.933" Department="1513" DepartmentAltey="13232" DepartmentName="Π‘ΠΌΠ°ΠΉΠ» ΠΠ»ΠΈΡ" FullPrice="1404.0000" Price="1404.0000" Debt="1404.0000" NaprOrdered="2" NaprCompleted="2" ReadyDate="2017-12-01T07:30:01" FinishDate="2017-11-29T20:39:52.870" Registrator="A759" Doctor="A75619" DoctorFamily="XXX" DoctorName="XXX" DoctorPatronymic="XXX"><OrderInfo Name="TEMP_CODE">0423BF97FA5E</OrderInfo><OrderInfo Name="ΠΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΠΎΡΡΡ">-1</OrderInfo><OrderInfo Name="ΠΠΈΠ½">DWW98675708386841791</OrderInfo><OrderInfo Name="Π‘ΠΊΠΈΠ΄ΠΊΠ°ΠΠ°ΠΠ°ΠΊΠ°Π·">0</OrderInfo><OrderInfo Name="Π‘ΠΠΠ΄Π΅ΠΉΡΡΠ²ΠΈΡΠ΅Π»Π΅Π½ΠΠΎ">18.03.2019</OrderInfo><OrderInfo Name="Π‘ΠΠΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ">Π ΠΠ‘Π‘ RU.13Π‘Π03.00601</OrderInfo><Serv Link="1" PathologyServ="1" Code="110101" Name="ΠΠ±ΡΠΈΠΉ Π°Π½Π°Π»ΠΈΠ· ΠΌΠΎΡΠΈ (Urine test) Ρ ΠΌΠΈΠΊΡΠΎΡΠΊΠΎΠΏΠΈΠ΅ΠΉ ΠΎΡΠ°Π΄ΠΊΠ°" Priority="NORMAL" FullPrice="98.0000" Price="98.0000" ReadyDate="2017-11-30T07:30:01" FinishDate="2017-11-29T20:14:22.160" State="normal"/><Serv Link="2" Code="300024" Name="ΠΡΠ΅Π½Π°ΡΠ°Π»ΡΠ½ΡΠΉ ΡΠΊΡΠΈΠ½ΠΈΠ½Π³ II ΡΡΠΈΠΌΠ΅ΡΡΡΠ° Π±Π΅ΡΠ΅ΠΌΠ΅Π½Π½ΠΎΡΡΠΈ, ΡΠ°ΡΡΠ΅Ρ ΡΠΈΡΠΊΠ° Ρ
ΡΠΎΠΌΠΎΡΠΎΠΌΠ½ΡΡ
Π°Π½ΠΎΠΌΠ°Π»ΠΈΠΉ ΠΏΠ»ΠΎΠ΄Π°, ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ° LifeCycle (DELFIA)" Priority="NORMAL" FullPrice="1306.0000" Price="1306.0000" ReadyDate="2017-12-01T07:30:01" FinishDate="2017-11-29T20:39:52.870" State="normal"/><Probe ID="64213791" Number="3716965325" Date="2017-11-29T00:00:00" OuterNumber="66477805" Barcode="3716965325" Biomater="66" BiomaterName="ΠΡΠΎΠ²Ρ (ΡΡΠ²ΠΎΡΠΎΡΠΊΠ°)" Type="physical"><Probe ID="64213796" Number="P80V0018" Date="2017-11-29T12:58:26.933" Biomater="66" BiomaterName="ΠΡΠΎΠ²Ρ (ΡΡΠ²ΠΎΡΠΎΡΠΊΠ°)" WorkList="80" WorkListName="ΠΡΠ΅Π½Π°ΡΠ°Π»ΡΠ½ΡΠΉ ΡΠΊΡΠΈΠ½ΠΈΠ½Π³" Type="virtual"><Param State="Valid" User="A872" UserFIO="XXX" UserStaff="ΠΡΠ°Ρ ΠΠΠ" Code="3005" guid="7BA0745FD502A80C73C2CAD341610598" Name="ΠΡΠ΅Π½Π°ΡΠ°Π»ΡΠ½ΡΠΉ ΡΠΊΡΠΈΠ½ΠΈΠ½Π³ II ΡΡΠΈΠΌΠ΅ΡΡΡΠ° Π±Π΅ΡΠ΅ΠΌΠ΅Π½Π½ΠΎΡΡΠΈ, ΡΠ°ΡΡΠ΅Ρ ΡΠΈΡΠΊΠ° Ρ
ΡΠΎΠΌΠΎΡΠΎΠΌΠ½ΡΡ
Π°Π½ΠΎΠΌΠ°Π»ΠΈΠΉ ΠΏΠ»ΠΎΠ΄Π°, ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ° LifeCycle (DELFIA)" Group="ΠΠ ΠΠΠΠ’ΠΠΠ¬ΠΠ«Π Π‘ΠΠ ΠΠΠΠΠ" GroupCode="80" GroupSort="0" Page="1" Sort="2"><LinkServ IsOptional="0">2</LinkServ><Result Name="ΠΡΠ΅Π½Π°ΡΠ°Π»ΡΠ½ΡΠΉ ΡΠΊΡΠΈΠ½ΠΈΠ½Π³ II ΡΡΠΈΠΌΠ΅ΡΡΡΠ° Π±Π΅ΡΠ΅ΠΌΠ΅Π½Π½ΠΎΡΡΠΈ, ΡΠ°ΡΡΠ΅Ρ ΡΠΈΡΠΊΠ° Ρ
ΡΠΎΠΌΠΎΡΠΎΠΌΠ½ΡΡ
Π°Π½ΠΎΠΌΠ°Π»ΠΈΠΉ ΠΏΠ»ΠΎΠ΄Π°, ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ° LifeCycle (DELFIA)" Value="ΠΠΎΡΠΎΠ² (ΡΠΌ.ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠ΅)" User="A872" UserFIO="XXX" Date="2017-11-29T20:39:03.370" isVisible="1" HidePathology="0" IsNew="0"><File Name="ΠΡΠ΅Π½Π°ΡΠ°Π»ΡΠ½ΡΠΉ ΡΠΊΡΠΈΠ½ΠΈΠ½Π³ 2 ΡΡΠΈΠΌΠ΅ΡΡΡ_page1.png" Type="image" Format="png" Title="3716965325_prenetal2_page1" Description="ΠΡΠ΅Π½Π°ΡΠ°Π»ΡΠ½ΡΠΉ ΡΠΊΡΠΈΠ½ΠΈΠ½Π³ 2 ΡΡΠΈΠΌΠ΅ΡΡΡ_page1" Sort="1">iVBORw0KGgoAAAANSUhEUgAABfoAAAfuCAIAAAArOR8rAAD//0lEQVR4Xuy9P7BtQ7u+/e3oECF6iRAhQoQI0SZCtIkQIdpEiBCxI0SIECFiV50qRKg6VYgQIUKEiDfiRL7rnPtXz+nqHnPMsfb6s+cc61rBqjl79Oh++uoe/eceT/c8888///
I've padded all sensitive data with an "X". In reality, everything was kept in the open.
From such logs it was easy (by transcoding from Base64) to get PNG files with screening results, already in a readable form:
The total size of the logs exceeded 400 MB and in total they contained more than a million entries. It is understood that not every record was unique patient data.
Official response from CMD:
We would like to thank you for the promptly provided information on 01.04.2019/XNUMX/XNUMX about the presence of a vulnerability in the Elasticsearch error logging and storage database.
Based on this information, our employees, together with specialized specialists, had limited access to the specified database. The error of transferring confidential information to the technical database has been fixed.
During the analysis of the incident, it was possible to find out that the appearance of the specified database with error logs in the public domain occurred due to a human factor. Access to the data was promptly closed on 01.04.2019/XNUMX/XNUMX.
At the moment, internal and external specialists involved are taking measures for an additional audit of the IT infrastructure for data protection.
Our organization has developed a special regulation for working with personal data and a system of tiered responsibility of personnel.
The current software infrastructure assumes the use of the Elasticsearch database for error storage. To improve the reliability of some systems, the corresponding servers will be migrated to our partner's data center, to a certified hardware and software environment.
Thank you for the timely information provided.
News about information leaks and insiders can always be found on my Telegram channel "
Source: habr.com