Skip to main content

Stolen Personal And Medical Information Was Found Online

By May 23, 2019May 19th, 2022Cybersecurity

Jeremiah Fowler, a researcher with Security Discovery recently found an unprotected Elasticsearch databased owned by a company called SkyMed on the internet.  According to his findings the database was configured such that it was open and visible to any browser. This allows anyone who stumbles across it to edit, download, or even delete data without administrative credentials.

The database contained a total of 136,995 patient records with histories going back thirty years in some cases.

It also included a variety of personally identifiable information such as:

  • Patient full name
  • Email address
  • Date of birth
  • Address
  • Phone numbers
  • In some cases, detailed medical information

Mr. Fowler promptly contacted SkyMed to inform them of the discovery. To their credit, the company promptly took the database offline.  They did not, however, make a formal reply to Mr. Fowler. They have not, to this point, reached out to any of the patients whose names and personal information appeared in the database.

In addition to the unprotected database, Mr. Fowler discovered forensic evidence that indicated the company’s network may have been infected with an unknown ransomware strain.  Again, however, the company has maintained total silence and has not contacted anyone, including their customers or impacted patients with details.

This complete lack of response is highly unusual.  On the heels of such an incident, we normally see a formal acknowledgement, an apology, a statement to the effect that the company is working with law enforcement and possibly engaging the services of a third party to assist with the investigation.  In addition to that, companies almost always make some effort to reach out to impacted parties to warn them of the dangers, advise of next steps they can take and offer free credit protection.

None of that has happened thus far, which could prove to be disastrous for SkyMed.  In the absence of those steps, it’s difficult to see how the company’s customers can trust them going forward.  In any case, be advised that if you are in any way reliant on SkyMed for any part of your care, there’s a chance your personally identifiable data was exposed.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.