Public GitHub repositories revealed the personal and protected health information of patients and other sensitive data are being exposed online.
The leak was found by Jelle Ursem, a security researcher from the Netherlands, who discovered at least 9 entities in the United States – including HIPAA-covered entities and business associates – have been leaking sensitive data via GitHub.
The 9 leaks may just be the top of the iceberg which involves between 150,000 and 200,000 patient records.
The search for exposed data was halted to ensure the entities concerned could be contacted and to produce the report to highlight the risks to the healthcare community.
Even if your organization does not use GitHub, that does not necessarily mean that you will not be affected.
The actions of a single employee or third-party contracted developer may have opened the door and allowed unauthorized individuals to gain access to sensitive data.
White conducting a search, it took Jelle Ursem just ten minutes to discover that data had been leaked on GitHub and it soon became clear that it was far from an isolated case.
Jelle Ursem is an ethical security researcher who has previously identified many data leaks on GitHub, including by Fortune 500 firms, publicly traded companies, and government organizations.
“GitHub search is the most dangerous hacking tool out there,” said Ursem. Why go to the trouble of hacking a company when it is leaking data that can be found with a simple search on GitHub?
Ursem conducted searches such as “companyname password” and “medicaid password FTP” and discovered several hard-coded usernames and passwords could be found in code uploaded to GitHub.
Those usernames and passwords allowed him to login to Microsoft Office 365 and Google G Suite accounts and gain access to a wide range of sensitive information such as user data, contracts, agendas, internal documents, team chats, and the protected health information of patients.
Ursem had no luck contacting the companies concerned to alert them to the exposure so he had to contact databreaches.net for assistance.
Together, Dissent Doe of DataBreaches.net and Ursem worked together to contact the organizations concerned and get the data secured.
In some cases, they succeeded but even after several months of attempts at contacting the companies concerned, explaining the severity of the situation, and offering help to address the problems that led to the exposure of data, some of that data is still accessible.
The report details 9 leaks that affected U.S. entities such as Xybion, MedPro Billing, Texas Physician House Calls, VirMedica, MaineCare, Waystar, Shields Health Care Group, AccQData – and one unnamed entity.
The entity remains unnamed because the data is still accessible.
This was just one example of several outsourced or contracted developers who were being used by HIPAA-covered entities and business associates, whose practices exposed data unbeknownst to the CEs and BAs.
“No matter how big or small you are, there’s a real chance that one of your employees has thrown the front door key under the doormat and has forgotten that the doormat is transparent,” explained Dissent Doe of DataBreaches.net. Regardless of whether your organization uses GitHub, HIPAA Journal believes the report to be essential reading.
The collaborative report from Jelle Ursem and DataBreaches.net explains how the leaks occurred, why they have gone undetected for so long, and details several recommendations on how data breaches on GitHub can be prevented, detected and addressed quickly in the event that mistakes are made.