India-based healthcare IT solutions provider HealthGenie has allegedly exposed 4.5 lakh sensitive documents of patients that include clinical data and personal data like phone numbers, addresses and payment details, a report said.
The Cybernews research team discovered that the provider left an open Amazon S3 bucket, exposing over 36 gigabytes of data, or nearly 450,000 documents.
The documents allegedly exposed patient details including name, date of birth, phone number, address, medical contract numbers, and payment details.
Out of 450,000 exposed documents, 200,000 were those of the service’s patients. Worryingly, the dataset has been exposed for several months after researchers discovered the open instance and informed the company about the issue.
“Exposing personal medical data poses severe risks for affected individuals as attackers could use the information for identity theft, financial fraud, targeted phishing attacks, blackmail, and potentially compromise patients’ medical histories and personal information. Individual healthcare data can be sold on dark web forums,” Cybernews said.
The research team also contacted HealthGenie for an official comment “but received no response before publishing”.
The Health Genie app with over 100,000 downloads on the Google Play store, offers services such as finding doctors, booking appointments, Electronic Health Record systems, reporting and analytics, and financial monitoring, among others.