MongoDB Database Breach Exposes Personal Information of 2 Million People in Mexico

Computer Security Breach Articles
  • MongoDB Database Breach Exposes Personal Information of  2,373,764 Patients in Mexico
  • The database was discovered by security researcher Bob Diachenko
  • The database belongs to Hova Health company and
  • The database was publicly accessible and editable to anyone in the world.

Yet Another healthcare data breach hit a Telemedicine company. This time it is MongoDB database breach which contains health information of 2 million people in Mexico.

The leaked data contains the following details:

  • Full name and gender
  • Insurance policy number and its expiration date
  • Date of birth
  • Home address
  • Disability and migrant flags
  • CUPR number( personal id code no, a unique identity code for citizen and resident of Mexico).

The database was discovered by Bob Diachenko, a security researcher, on August 3rd via search engine Shodan and contained personal information of 2,373,764 patients in Mexico.

The database was publicly available through a misconfigured MongoDB instance and was publicly accessible, viewable, and editable for anyone in the world with internet which did not require any login.

After analyzing the data, the Researcher was able to identify the alleged owner of the database by checking fields which contains the administrator’s email addresses.

The database belongs to a telemedicine company, Hova Health company, and It is still not clear the domain belongs to.

The researcher said that the database also contains hashed/salted passwords for admin accounts and emails. He contacted Hova Health company on the same day of discovery and database was secured immediately.

Interestingly, all the patients’ information that I reviewed was related to the state of Michoacán. Collection in the database was named after Efimed (‘efimed_mich_8020’), a type of records which is part of the SRS (Health Registration System) platform (according to this site). That all combined doesn’t answer the question who was the final owner of the database left without any password protection.” said in the post published by Researcher.

It is still unclear how long the database was publicly exposed and who else have accessed it.

Last week UnityPoint Health alerted patients about a data breach exposing personal data 1.4 million patients and last month Singapore largest health group SingHealth also suffered a massive data breach exposing personal information of 1.5 million patients.

It is high time that medical businesses and service providers like hospitals, insurance companies, etc who store and handle patients’ personal data start ensuring cyber security measures stringently.



Please rate this content