VPNOverview’s security team discovered a data breach that exposed the medical information of 197,497 people stored online. The source of the leak was Bahmni, an electronic medical record and hospital system combining several open-source products.
According to Bahmni, over 500 websites in more than 50 countries use their software, which was also chosen for national rollouts in Tanzania, Lesotho, and Bangladesh. Bahmni claims to manage the patient records of over two million people.
OpenMRS Database Left Open
Researchers at VPNOverview found an unsecured Amazon Web Services (AWS) S3 bucket belonging to Bahmni. Upon examining the bucket, we found it contained an OpenMRS database backup. VPNOverview’s security team was able to restore the backup and browse through the data.
OpenMRS is a free, open-source healthcare project, self-described as being designed for use in places with limited resources. Bahmni leverages OpenMRS as part of its integrated solution.
Medical Data and Personal Information of 197,497 People Exposed
The leaked database exposed the medical information of 197,497 people, including appointment dates, hospital admissions, age, gender, and names of patients. Some location data was also exposed, but Bahmni anonymized street addresses.
The information seems to belong to people in the Chhattisgarh state of central India. They were patients at a hospital system in Ganiyari, a village 500 miles west of Kolkata.
Aaron Phillips, the cybersecurity professional who discovered the breach, described what he saw.
“The data we found covered over a million separate encounters. And with a few queries, I was able to see these people’s medical histories going back years,” he said.
113 Hashed Passwords Leaked
Besides personally identifiable information and medical data, Bahmni leaked the hashed passwords of healthcare professionals and staff.
The company hashed passwords using the SHA-512 algorithm, which our researchers determined is a secure method. However, the risk is that hashes tend to become less secure over time, and vulnerabilities could be exploited.
Bahmni leaked each password with its corresponding salt. When kept private, password salts can mitigate the severity of a password breach. But since the salts leaked along with the passwords, they provided no extra security.
This is the timeline of events:
|VPNOverview discovered the breach||September 19, 2022||11:20 AM|
|Our team notified Bahmni about the breach||September 20, 2022||7:49 PM|
|We received an email response from Bahmni||September 21, 2022||7:38 AM|
|Bahmni closed the breach||September 21, 2022||11:57 AM|
After we reached out regarding the breach, Bahmni immediately sealed the leak, removing access to the passwords and any personally identifiable information of patients.
Securing Electronic Medical Records (EMRs)
The use of electronic medical records (EMR) software and integrated solutions is expected to surge through 2030. Hospitals and healthcare systems record patient data using EMR, and the ease of data sharing enables more accurate diagnosis and treatment.
Just this month, we’ve seen sensitive patient records splashed on the dark web by hackers. Following an October cyberattack where hackers stole 9.7 million patient records, Australian healthcare provider Medibank refused to pay a ransom. Cybercriminals then set an ultimatum — pay the ransom within 24 hours, or patient data would be leaked. Hackers went through with their threat, releasing data of patients who had been treated for sensitive issues such as addiction or eating disorders.
“I’m glad Bahmni acted to secure this information. Hackers could use this data in a lot of different ways. It could help them target users for scams, or even access prescription drugs. But clearly, it was dangerous to leave laying around in an open bucket. Bahmni does a lot of good things, but they have got to be more careful with EMRs,” Phillips said.