A Long Island, New York, medical practice left an exposed port normally used for remote synchronisation open exposing at least 42,000 medical records.
UpGuard Director of Cyber Risk Research Chris Vickery found that port 873, normally used for remote synchronisation and moving data between devices, on a server belonging to the medical practice of Cohen Bergman Klepper Romano Mds PC open and configured for global access allowing anyone who knew the server's IP address to find the data. A secure server would only allow access from select IP addresses, UpGuard wrote.
The flaw allowed the patient names, Social Security numbers, ethnicity, insurance information, dates of birth, phone numbers and insurance information of the Huntington, New York practice to be exposed. In addition, physician's personal information that includes Social Security numbers and more than three million of the doctor's notes on their patients along with emails were also left unprotected, UpGuard said.
The unsecured server was found on 25 January, 2018 and secured on 19 March.
“Beyond the obvious sensitivity of any exposure of an individual's medical background, the leak of patient - and doctor - Social Security numbers, in association with personal details like home address, insurance information, and date of birth, provide ample ammunition for fraudsters. Armed with the contact information for patients, and the knowledge of which doctor's office they go to, malicious actors could also socially engineer exposed individuals, posing as a representative of the physicians to further extract sensitive information,” UpGuard reported.