DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

No Need to Hack When It’s Leaking, Friday Global Edition

Posted on November 25, 2022 by Dissent

For today’s episode of “No Need to Hack When It’s Leaking,” DataBreaches brings you three leaks involving patient/medical information: one from the U.S., one from India, and one from Australia.

Tridas Center

Jeremiah Fowler and the Website Planet research team discovered an unsecured database containing more than 16,000 records with personally identifiable information about pediatric patients. The records, which referenced Tridas eWriter interview system, contained patient ID numbers, names, date of birth, home address, school attended, special needs, medical diagnoses, behavioral or social problems, and other data types. Tridas eWriter’s online interview system is operated by the Tridas Group LLC. The researchers report:

The findings appeared to be a collection of records from Tridas eWriter questionnaires completed by parents, which the Tridas Center (where assessments of children would take place) suggested should be completed before the first evaluation appointment. We note that, according to the Tridas Center website, the Tridas Center closed on December, 31 2019.

Although the researchers seemed somewhat surprised by the sensitivity of the evaluation responses and narratives, it is actually quite common in the U.S. for evaluations to include detailed reporting and narratives by parents and teachers as part of the diagnostic and assessment process. But the data should be treated as personal and sensitive information and given adequate data security protection. It wasn’t in this case.

The Tridas Center appears to have been a HIPAA-covered entity.  Was this a reportable breach under HIPAA? Is Tridas is making any notifications? Can they even determine whether anyone accessed the information? According to Jeremiah Fowler, Tridas Group did not respond to his inquiries, although they did lock down the data.  Tridas has not responded to inquiries by DataBreaches as to whether they are reporting this incident to HHS.

Bahmini

The second leak was reported to DataBreaches by VPNOverview and involved an unsecured Amazon S3 bucket backup relating to the open-source Bahmni EMR and hospital management system. Bahmini serves over 500 websites in 50 countries with their integrated software and claims they manage patient data of over two million people.

According to VPNOverview researchers, an OpenMRS database backup contained medical information of 197,497 people: names, appointment dates, admissions, age, and gender.  As far as the researchers could determine, the information seemed to belong to people in the Chhattisgarh state of Central India.

VPNOverview reports that Bahmini responded quickly to their disclosure and locked the data down, but there is nothing that indicates for how long it was exposed or how many unauthorized accesses there may have been.

The report on this leak can be found at VPNOverview.

 Respiratory Clinical Trials

For a number of years, an entity in Australia conducted respiratory clinical trials. Research participants were told that everything was held in the strictest of confidence. Well, except for when they exposed more than a decade’s worth of the participants’ protected health information?

This leak was discovered by a researcher who contacted DataBreaches for assistance making responsible disclosure. After confirming that it was leaking and discovering that much of the the data appeared to be old, we were not totally surprised to learn that the only email address provided on the website did not work at all.

Directory of folders that were exposed.
Screencap provided by researcher has been redacted by DataBreaches.net.

 

The exposed files consisted of 80 GB of patient/participant medical files with their demographic information and relevant medical history, including history and updates on the research protocols. A google search revealed that the principal researcher  appeared to be still active but associated with a different entity.

At that point, we turned to the Australian Signals Directorate (Department of Defence) with a request that they alert the entity to lock down the data.

On follow-up, we found the data are still exposed, which is why we are not naming the entity at this point. When DataBreaches followed up with ASD, they informed this site that they had notified the entity. Why the data are still exposed after the government notified them they are leaking research participants’ medical details is unknown to DataBreaches.

Category: Breach IncidentsExposureHealth DataNon-U.S.U.S.

Post navigation

← Cyber-enabled financial crime: USD 130 million intercepted in global INTERPOL police operation
Massive Twitter data breach was far worse than reported, reveal security researchers →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.