KEY FINDINGS
- A non-password-protected database containing over 17 billion records was exposed.
- The leaked records included healthcare provider information, such as names, addresses, and contact numbers.
- The leaked records also included negotiated rates for medical procedures.
- The data leak was caused by a security lapse at Cigna Health.
- Cigna Health has taken steps to secure the database and is investigating the incident.
Cybersecurity researcher Jeremiah Fowler has unearthed a concerning incident involving a non-password-protected database containing over a staggering 17 billion records. The extensive records were traced back to Cigna Health, a major player in the health insurance industry. The company’s effort to bolster transparency inadvertently led to this massive data leak, as disclosed by Fowler.
The leaked records, amounting to a colossal 6.35 terabytes, primarily consisted of healthcare provider information. Details included the names of hospitals and doctors, location addresses, contact numbers, and various identification numbers such as the National Provider Identifier (NPI). Importantly, these records also disclosed negotiated rates for medical procedures. However, it is essential to clarify that the exposed data did not encompass customer or patient information.
Fowler’s discovery prompted a swift response from Cigna, acknowledging the security lapse and taking immediate measures to secure the vulnerable database from public access. Cigna defended its stance by citing its Transparency in Coverage program, which adheres to federal regulations in place since 2022.
Notably, the information contained within the database was intended for public access due to regulatory requirements. However, the lack of proper security measures posed potential risks to Cigna’s broader internal storage network.
The exposed database, which offered an unprecedented behind-the-scenes look into Cigna Health, detailed the company’s operations spanning all 50 states in the United States. Cigna Health offers an array of health insurance plans, catering to individuals, families, employers, and various government programs.
The database’s structure was logically organized and easily searchable, revealing provider records alongside Current Procedural Terminology (CPT) codes. Under the Affordable Care Act, health insurers are mandated to disclose negotiated rates publicly, emphasizing transparency. Despite the potential benefits of this disclosure, the size and complexity of these data files could prove challenging for non-technical individuals to navigate effectively.
Security concerns regarding the leaked data revolve around the potential misuse of National Provider Identifier (NPI) numbers, which serve as unique identifications for healthcare providers. While the leaked data did not indicate any misconduct by Cigna, NPIs have been exploited in the past for fraudulent activities such as Medicare and Medicaid scams and non-password-protected databases could expose companies to ransomware attacks.
RELATED ARTICLES
- Cybersecurity firm exposes 5 billion data breach records
- DreamHost hosting firm exposed almost a billion sensitive records
- 9,517 unsecured databases identified with 10 billion records globally
- Online trading broker FBS exposes 20TB of data with 16 billion records
- Brazilian marketplace integrator Hariexpress exposed 1.75 billion records