Jeremiah Fowler reports on another unsecured elasticsearch database that his firm has found:
On March 27th I discovered an unsecured Elasticsearch database that contained what appeared to be members of a medical evacuation membership service. Upon further inspection of the data there were many references that the data allegedly belonged to Florida based SkyMed. It appeared to be a detailed list of their member accounts. The first data incident notification was sent on March 27th (the same day it was discovered). On April 5th we verified that the database was closed and no longer publicly accessible. No one from SkyMed replied to either message.
Read more on SecurityDiscovery.
Because this business provides emergency medical evacuations, they collect and store some medical information on those who register as members of their service. Jeremiah didn’t get into real details about what kinds of medical information, though. The article says:
Inside the database was each member’s file that included personally identifiable information and some accounts had medical information or notes about the user. It is unknown how long this data was publicly accessible or who may have accessed it. What is known is that there was evidence of ransomware inside the database and this could potentially be evidence of a far bigger exposure.
Fowler also reports:
It is unclear if this incident was reported to members, 0r the authorities as required by HIPPA and Florida breach and notification laws.
OK, that should be “HIPAA,” not “HIPPA,” and deciding whether notification is required by a federal or state law is a job for lawyers as there’s often some decision-making involved in whether something is actually a reportable breach under HIPAA or not.
But has SkyMed reported this or notified anyone? DataBreaches.net reached out to them yesterday but has not gotten any reply as to whether they have reported this situation to OCR and to potentially affected members.