Security researcher Jeremiah Fowler in collaboration with Website Planet’s team of researchers discovered an unprotected database containing more than 16,000 records. What’s worse, the misconfigured database contained sensitive personally identifiable information (PII) of thousands of children.
Fowler noted that the misconfigured database contained highly sensitive PII, including the names of parents and children, dates of birth, patient ID numbers, physical address, special needs, school attended, medical diagnoses, and social/behavioral problems’ history.
What Information was Included in the Database?
Researchers reviewed a sample of 1,000 records to determine who owned the data and informed them about the exposed database. As per their findings, each record they reviewed had some form of PII related to children.
The records were unique as per the Patient ID number, and the data appears to be fairly recent. In the database, children’s records were categorized with tags, including the following:
- Attention Difficulties
- Behavior Difficulties
- Autism Symptoms
- Emotional Issues
- Social Inter Concerns
- Learning Problems
- Development Delay
However, according to Website Planet’s report, a surprising aspect of the discovery what that the records included a summary/questionnaire explaining the condition of their child. This was a detailed overview as parents explained their child’s challenges and situations that validated that their child needed medical assistance.
Such information should only be accessible to medical experts, but it was publicly accessible through a misconfigured IP indicating the host domain, login portal, and data location.
Who Owns the Database?
Further probe revealed that the data was linked to an online interview system called Tridas eWriter. The Tridas Group LLC based in Tempa, Florida operated this system. This company offers software for schools and parents for diagnostic management of children with Autism, ADHD, learning challenges, and similar disorders.
“Tridas eWriter provides secure, HIPAA compliant online questionnaires and it generates a detailed report that organizes the data in an easy-to-read format to facilitate the diagnosis and management of these complex challenges,” the company’s website read.
Researchers believe that the records were collected from Tridas eWriter questionnaires, filled out by parents before booking the initial evaluation appointment of their children. As per the Tridas Center website, it was closed on 31 December 2019.
However, researchers at Website Planet notified the Tridas Group LLC about the exposed database, and access to it was restricted immediately.
Exposure to such sensitive health records entails a range of risks and can put the safety of children and their families in danger. The exposed data can be used for medical extortion or in phishing, social engineering scams, and even ransomware attacks that could have led to data encryption.
Threat actors may insert malicious code or detect vulnerabilities to launch future cyberattacks. Medical records are the most sensitive and crucial part of the exposed information as it belongs to children’s health, and scammers may exploit them for a long time.
- Op protected childhood: 113 online child predators arrested
- Storybooks for children app FarFaria exposed data of 3M users
- Leaky Server Exposing Scraped Data of 150,000 Mastodon Users
- Neopets Suffers Second Data Breach as 69 Million Accounts are Stolen
- Japanese Healthcare Firm ‘Doctors Me’ Exposed Images of 12,000 Patients