Medical software firm leakes personal data of 3.1 million patients

Somehow, the misconfigured Elasticsearch cluster did not contain medical data of patients.

Somehow, the misconfigured Elasticsearch cluster did not contain medical records of patients.


3.1 million patients’ data have been exposed by a medical software company, states Volodymyr “Bob” Diachenko, a cybersecurity consultant and owner at Security Discovery.

The medical software development firm basically bundled software that was used by hospitals and dental clinics for online booking and patient record management.

The misconfigured Elasticsearch cluster included sensitive yet confidential information such as names, email addresses, gender, contact number (home and work), marital status, and the practice name received by the patients.

See: Adult streaming site CAM4 leaks 7 TB of data with 11 billion records

If its any consolation, no medical records were leaked online. But it is unnerving to know that the data exposed on the internet had no authentication or passwords in pursuit.

Screenshot from the leaked database (Image: Bob Diachenko)

The incident should not come as a surprise since misconfigured databases have exposed billions of sensitive records in the last couple of years. In fact, the situation is so critical that according to a new poll database configuration errors are the number one threat to cloud security.

See: 9,517 unsecured databases identified with 10 billion records globally

The cybersecurity consultant who discovered the unsecured database on July 13, 2020, found out the company in question is Adit, a Houston, TX-based company.


A day before the discovery, the unsecured database was indexed by BinaryEdge. However, a disclosure was addressed to the affected company yet no response was received whatsoever. Nevertheless, more than a week later the exposed data was destroyed by ‘Meow Bot.’

It is noteworthy that the latter is notoriously known to attacking unprotected databases recently and has been dubbed by researchers as “Meow Attack.” The attack does not ensue any ransom notes or threats but just the word ‘meow’ along with a random set of numbers.

Meow attack in progress (Image:

Another similar attack was witnessed last month revolving around UFO VPN. The Hong Kong-based VPN provider despite claiming that they had zero logs policy exposed their database making it vulnerable for attackers to see. Remedial measures ensued and the database was later secured only to have surfaced online again which was then destroyed by Meow.

Nevertheless, According to a blog post published by the researcher, Adit’s database was exposed ten days before it was destroyed by Meow bot. However, any instances of whether threat actors accessed the data haven’t been brought to light yet. But the likelihood of this happening is high.


Exposed data can be exploited in many ways

  • The sensitive and confidential data exposed in this could likely be used by cybercriminals for fraudulent activities such as phishing and online scams.
  • If your record was maintained using Adit’s software then make sure to be on a lookout for unsolicited emails or messages that could contain fishy URLs. Do not click them and immediately contact your respective medical clinic.
  • Leaked data in the wrong hands can posit huge risks such as identity theft, catfishing, and in severe cases lead to blackmail as well.

See: France’s largest newspaper exposed 8 TB of data with 7.4 billion records

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Related Posts