A collaborative report by security researcher Jelle Ursen and DataBreaches.net dated August 2020 revealed that important healthcare records of at least 9 sources have been compromised through GitHub.
The report titled “No need to hack when it’s leaking” detailed the events leading up to the discovery of the leaks, which Ursem initially found. The Dutch researcher then got in touch with DataBreaches.net to look into the matter further.
According to Ursem, he came across the leaks while looking into the possibility of medical customer data being uploaded to GitHub. He was able to find more than 200,000 personally identifiable information (PII) and Protected Health Information (PHI) on the platform.
The researcher used a simple search using phrases such as “companyname password” or “Medicaid password FTP.” This gave results containing login usernames and passwords for various systems healthcare facilities use to monitor patient data.
The leaks are the result of developers encoding login credentials in their respective codes and uploading it to a public repository such as GitHub.
The codes uploaded into the public repository were also abandoned instead of being deleted. No additional security measures such as two-factor or multifactor authentication were found while logging in.
Logging in to one of these systems let Ursem access the database used by the facility. The report sais, “Once logged in to a Microsoft Office 365 or Google G Suite environment, Ursem is often able to see everything an employee sees.”
This includes emails, address books, team chars, user data, and internal documents. These are from 9 sources namely Xybion, MedPro Billing, Texas Physician House Calls, Virmedica, Mainecare, Waystar, Shields Health Care Group, AccQData, and an “unnamed entity.”
Some of the leaks have been occurring for years. An example of this is Xybion, which has been leaking PII and PHI since October 2018. It took Ursem several times to get Xybion to address the issue, which is now secured.
While some attempts to have the info taken down were successful, others were not. In MedPro’s leak which has been up since 2016, both Ursem and Databreaches.net reached out to the company to no avail.
To address the situation, the report recommended that entities should force password changes from time to time. Developers should also use private repositories and most importantly, avoiding incorporating login credentials in codes.
The report warned that more leaks are likely to be found on GitHub.