Another day, another exposed database due to misconfiguration of a MongoDB installation. Bob Diachenko found it and reports on it:
On August 3rd, I have discovered that personal information of 2,373,764 patients from Mexico is publicly available through a misconfigured MongoDB instance. Data included such fields as:
- Full name and gender;
- CURP number (i.e. Personal ID Code Number, a unique identity code for both citizens and residents of Mexico);
- Insurance policy number and its expiration date;
- Date of birth;
- Home address;
- ‘Disability‘ and ‘migrant‘ flags
[…]
Upon analyzing the content of database, I have identified the alleged owner of the information, Hova Health company, a telemedicine company “focused on two main areas: Telemedicine (Teleradiology – Telehealth) and software development for the health sector.”
Read the rest of Bob’s report and see the screenshots on LinkedIn.
Bob subsequently tweeted that in his report, he had forgotten to mention that “diagnoses, medical notes for more than 100 thousands people were also there.”