Another Day, Another Healthcare Data Breach: Adit Left 3.1 Million Patients' Records Exposed

Putting millions of people's data in a poorly configured database is a mistake that far too many organizations make. When the exposure is found, however, the people at fault must ensure that the problem is properly disclosed and that measures are taken to prevent such incidents in the future. Unfortunately, as researchers like Bob Diachenko can testify, sometimes, these people prefer to act as if nothing has happened.

Bob Diachenko discovered a database exposing the personal information of 3.1 million patients

On Tuesday, Bob Diachenko published a LinkedIn post regarding a recently exposed database containing the personal data of about 3.1 million people. The leaked information included names, email and physical addresses, phone numbers, as well as the institutions where the affected individuals receive medical treatment. It was clear that the data had been exposed by an organization that works in the healthcare sector, and, after a quick investigation, Diachenko realized that the database belonged to Adit, a platform that helps doctors and hospitals build their online presence and create a system that lets patients book appointments with a few clicks.

To say that Bob Diachenko is no stranger to these types of leaks would be an understatement. He has played a key role in discovering and securing of billions of records stored in poorly configured databases. Once he knew that the data belonged to Adit, he wasted no time contacting the organization and disclosing the leak.

Adit did nothing to secure the database

It's not completely clear when the Elasticsearch cluster was first exposed, but it most likely happened in the days before July 12 because that's when the BinaryEdge search engine indexed it. A day later, Bob Diachenko had already discovered it and had contacted Adit. Unfortunately, for the next nine days, he received no response.

This is bad news for anyone who has been affected by the leak. Recent experiments have shown that leaky databases get attacked multiple times a day and that every single alert about a poorly secured server must be treated as an emergency. Adit didn't do that, and we can only speculate how many cybercriminals accessed the data while it was still online.

At one point, an automated script decided to put an end to the leak.

The Meow bot destroyed Adit’s data

On July 22, ten days after the database was indexed by BinaryEdge, Diachenko decided to take a look and see if Adit had finally got round to securing it. It hadn't.

The Elasticsearch cluster was still online and accessible from anywhere in the world. All the lines inside it, however, were replaced by random alphanumerical strings with the word "meow" appended to them. The database had been targeted by the Meow bot.

Although it appeared relatively recently, the Meow bot has already managed to destroy thousands of databases. It's an automated script that looks for Elasticsearch and MongoDB installations that are connected to the internet but are not protected by a password and corrupts the data inside them. The plaintext information is replaced by random strings that always end in "meow," hence the name.

Evidence suggests that the Meow bot doesn't steal the data before corrupting it, and it doesn't leave any ransom notes. Most likely, it was created by a vigilante hacker who wants to help organizations secure their data by teaching them a hard lesson in cybersecurity. Whatever the case, the fact of the matter is that in this particular instance, the patients' data was no longer exposed after the attack.

Who was affected, and what do they need to look out for?

The doctors and healthcare organizations that use Adit might not even know about the leak, which means that they have no way of informing their patients. Affected individuals might be made aware of it if Adit decides to cooperate, but, given the fact that it has yet to publicly disclose the incident, this doesn't seem terribly likely at this point.

The data is no longer online in its plaintext form, but it stayed there for quite a while, and there's every chance that it fell into the wrong hands. It's difficult to say what portion of Adit's users were affected, so if you've ever interacted with the platform, you need to be more careful about potential scams.