DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

No Need to Hack When It’s Leaking, Friday Global Edition

Posted on November 25, 2022 by Dissent

For today’s episode of “No Need to Hack When It’s Leaking,” DataBreaches brings you three leaks involving patient/medical information: one from the U.S., one from India, and one from Australia.

Tridas Center

Jeremiah Fowler and the Website Planet research team discovered an unsecured database containing more than 16,000 records with personally identifiable information about pediatric patients. The records, which referenced Tridas eWriter interview system, contained patient ID numbers, names, date of birth, home address, school attended, special needs, medical diagnoses, behavioral or social problems, and other data types. Tridas eWriter’s online interview system is operated by the Tridas Group LLC. The researchers report:

The findings appeared to be a collection of records from Tridas eWriter questionnaires completed by parents, which the Tridas Center (where assessments of children would take place) suggested should be completed before the first evaluation appointment. We note that, according to the Tridas Center website, the Tridas Center closed on December, 31 2019.

Although the researchers seemed somewhat surprised by the sensitivity of the evaluation responses and narratives, it is actually quite common in the U.S. for evaluations to include detailed reporting and narratives by parents and teachers as part of the diagnostic and assessment process. But the data should be treated as personal and sensitive information and given adequate data security protection. It wasn’t in this case.

The Tridas Center appears to have been a HIPAA-covered entity.  Was this a reportable breach under HIPAA? Is Tridas is making any notifications? Can they even determine whether anyone accessed the information? According to Jeremiah Fowler, Tridas Group did not respond to his inquiries, although they did lock down the data.  Tridas has not responded to inquiries by DataBreaches as to whether they are reporting this incident to HHS.

Bahmini

The second leak was reported to DataBreaches by VPNOverview and involved an unsecured Amazon S3 bucket backup relating to the open-source Bahmni EMR and hospital management system. Bahmini serves over 500 websites in 50 countries with their integrated software and claims they manage patient data of over two million people.

According to VPNOverview researchers, an OpenMRS database backup contained medical information of 197,497 people: names, appointment dates, admissions, age, and gender.  As far as the researchers could determine, the information seemed to belong to people in the Chhattisgarh state of Central India.

VPNOverview reports that Bahmini responded quickly to their disclosure and locked the data down, but there is nothing that indicates for how long it was exposed or how many unauthorized accesses there may have been.

The report on this leak can be found at VPNOverview.

 Respiratory Clinical Trials

For a number of years, an entity in Australia conducted respiratory clinical trials. Research participants were told that everything was held in the strictest of confidence. Well, except for when they exposed more than a decade’s worth of the participants’ protected health information?

This leak was discovered by a researcher who contacted DataBreaches for assistance making responsible disclosure. After confirming that it was leaking and discovering that much of the the data appeared to be old, we were not totally surprised to learn that the only email address provided on the website did not work at all.

Directory of folders that were exposed.
Screencap provided by researcher has been redacted by DataBreaches.net.

 

The exposed files consisted of 80 GB of patient/participant medical files with their demographic information and relevant medical history, including history and updates on the research protocols. A google search revealed that the principal researcher  appeared to be still active but associated with a different entity.

At that point, we turned to the Australian Signals Directorate (Department of Defence) with a request that they alert the entity to lock down the data.

On follow-up, we found the data are still exposed, which is why we are not naming the entity at this point. When DataBreaches followed up with ASD, they informed this site that they had notified the entity. Why the data are still exposed after the government notified them they are leaking research participants’ medical details is unknown to DataBreaches.

Related posts:

  • Why, oh why, don’t some entities respond to notifications about leaking patient data, Wednesday edition
Category: Breach IncidentsExposureHealth DataNon-U.S.U.S.

Post navigation

← Cyber-enabled financial crime: USD 130 million intercepted in global INTERPOL police operation
Massive Twitter data breach was far worse than reported, reveal security researchers →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.