Researcher finds 9 leaky GitHub repositories exposing personal health information of nearly 200000 U.S. residents, says there could be ‘possibly many more’
GitHub is fast becoming a major threat vector in itself. Earlier, hackers and cybercriminals used GitHub dorks to steal confidential information and security keys. Pretty soon they graduated to stealing the entire or part of the repository as was done by Shiny Hunters group who stole the Microsoft Git. Now a security researcher has found 9 leaking GitHub repositories that have exposed personal health information (PHI) of nearly 200,000 Americans.
A Dutch security researcher has stumbled across nine data leak incidents involving medical records belonging to 200,000 patients all based in the United States. The security researcher, Jelle Ursem and Databreaches.net have released a joint report detailing nine data leak incidents at various healthcare providers, one health plan, as well as business associates or in third-party relationships, all serving the medical sector.
Ursem used the GitHub dork to reveal an alarming amount of sensitive data, including login credentials, been left exposed by negligent developers. After finding tonnes of leaked data, Ursem teamed up with Databreaches.net to index and sort the leaks and publish a paper. Ursem says that this is the tip of the iceberg and there could be much more leaky Gits.
Before making the research public, Ursem contacted the leaky Git owners but only three of the nine affected entities responded to him and fixed the leaks. Others just ignored his findings. After he published the researcher, some of them have even threatened to pursue legal action against him – despite Ursem disclosing his findings responsibly and giving the affected entities enough time to address the leaks.
The researcher found GitHub repositories of nine U.S. entities like Xybion, MedPro Billing, Texas Physician House Calls, VirMedica, MaineCare, Waystar, Shields Health Care Group, AccQData were leaking their patient information and the data could be seen by random people without much effort. Ursem says that he had found one more entity which he has not revealed as the company was in the process of fixing the leak at the time the report went live.
“For the 9 leaks, there were approximately 150,000 – 200,000 unique patients’ records exposed, and possibly many, many more, because Ursem did not sample or access everything that was exposed,” Databreaches.net reports.
Ursem says that the data leak is happening because the developers embedded hard-coded login credentials in their code instead of making it a configuration option on the server the code runs on. Some the leakers used public repositories instead of private repositories while others failed to use two-factor or multifactor authentication for email accounts and/or abandoned repositories instead of deleting them when no longer needed.