Bahmni Breach Exposes Medical Data of 197,497 People

Medical professional working with files and healthcare data.

VPNOverview’s security team discovered a data breach that exposed the medical information of 197,497 people stored online. The source of the leak was Bahmni, an electronic medical record and hospital system combining several open-source products.

According to Bahmni, over 500 websites in more than 50 countries use their software, which was also chosen for national rollouts in Tanzania, Lesotho, and Bangladesh. Bahmni claims to manage the patient records of over two million people.

OpenMRS Database Left Open

Researchers at VPNOverview found an unsecured Amazon Web Services (AWS) S3 bucket belonging to Bahmni. Upon examining the bucket, we found it contained an OpenMRS database backup. VPNOverview’s security team was able to restore the backup and browse through the data.

OpenMRS is a free, open-source healthcare project, self-described as being designed for use in places with limited resources. Bahmni leverages OpenMRS as part of its integrated solution.

Medical Data and Personal Information of 197,497 People Exposed

The leaked database exposed the medical information of 197,497 people, including appointment dates, hospital admissions, age, gender, and names of patients. Some location data was also exposed, but Bahmni anonymized street addresses.

Screenshot of Bahmni, list of peoples name

The information seems to belong to people in the Chhattisgarh state of central India. They were patients at a hospital system in Ganiyari, a village 500 miles west of Kolkata.

Screenshot of Bahmni Appointments list

Aaron Phillips, the cybersecurity professional who discovered the breach, described what he saw.

“The data we found covered over a million separate encounters. And with a few queries, I was able to see these people’s medical histories going back years,” he said.

113 Hashed Passwords Leaked

Besides personally identifiable information and medical data, Bahmni leaked the hashed passwords of healthcare professionals and staff.

The company hashed passwords using the SHA-512 algorithm, which our researchers determined is a secure method. However, the risk is that hashes tend to become less secure over time, and vulnerabilities could be exploited.

Screenshot of Bahmni user list with passwords

Bahmni leaked each password with its corresponding salt. When kept private, password salts can mitigate the severity of a password breach. But since the salts leaked along with the passwords, they provided no extra security.

Timeline

This is the timeline of events:

EventDateTime
VPNOverview discovered the breachSeptember 19, 202211:20 AM
Our team notified Bahmni about the breachSeptember 20, 20227:49 PM
We received an email response from BahmniSeptember 21, 20227:38 AM
Bahmni closed the breachSeptember 21, 202211:57 AM

After we reached out regarding the breach, Bahmni immediately sealed the leak, removing access to the passwords and any personally identifiable information of patients.

Securing Electronic Medical Records (EMRs)

The use of electronic medical records (EMR) software and integrated solutions is expected to surge through 2030. Hospitals and healthcare systems record patient data using EMR, and the ease of data sharing enables more accurate diagnosis and treatment.

Since EMRs are very sensitive, it is important they remain secure. Cybercriminals can use medical records to launch social engineering scams or phishing attacks tailored specifically for individuals.

Just this month, we’ve seen sensitive patient records splashed on the dark web by hackers. Following an October cyberattack where hackers stole 9.7 million patient records, Australian healthcare provider Medibank refused to pay a ransom. Cybercriminals then set an ultimatum — pay the ransom within 24 hours, or patient data would be leaked. Hackers went through with their threat, releasing data of patients who had been treated for sensitive issues such as addiction or eating disorders.

“I’m glad Bahmni acted to secure this information. Hackers could use this data in a lot of different ways. It could help them target users for scams, or even access prescription drugs. But clearly, it was dangerous to leave laying around in an open bucket. Bahmni does a lot of good things, but they have got to be more careful with EMRs,” Phillips said.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.