Cloud Security
,
Data Breach Notification
,
Data Security
Researcher Found Unsecured Database Server Containing 1,864 GB of OrthoMinds’ Data
A vendor of cloud-based orthodontic practice software is notifying an undisclosed number of patients that their data was exposed to the internet for 10 days last November. But the security researcher who discovered the unsecured database alleges the exposure appears to have lasted longer than that and affected at least 200,000 patients.
See Also: A Modern Approach to Data Security
Georgia-based OrthoMinds in a public statement Thursday said it is notifying clients and individuals potentially affected by the data security breach.
“In November 2024, OrthoMinds learned of a potential incident within its network environment. Upon discovery, OrthoMinds launched an investigation into the nature and scope of this potential incident, including remediation efforts,” the company said. OrthoMinds’ investigation determined that files and folders stored on certain databases may have been accessible to others outside its organization between Nov. 17 and Nov. 27, 2024, the firm said.
“As a result, OrthoMinds remediated to prevent the potential for ongoing access and began an extensive review of these files and folders to determine whether sensitive information may be impacted,” the company said.
The information potentially compromised include names, dates of birth, medical information, health insurance information, payment card information and Social Security numbers.
But the security researcher – who discovered the unsecure data and notified OrthoMinds about his findings last November – told Information Security Media Group that the server containing the databases was exposed at least since October 2024, if not longer.
It appears that potentially hundreds of OrthoMinds’ clients and more than 200,000 patients were affected by the exposure, he said.
The researcher, who goes by the handle JayeLTee, issued a report in January about his OrthoMinds discovery. JayeLTee told ISMG that he monitors millions of endpoints for exposed data and tries “to find things to report between all the ‘junk.'”
“Around Oct. 23, 2024, this server showed up on my logs along with hundreds of thousands of other servers, as allowing listing of files with no authentication,” he said. “It was only in November 2024 that I eventually looked specifically at this server to see what was exposed and then contacted the company. So, the server was exposed at least since October 2024.”
In his January report, JayeLTee said he found exposed 1,863.71 gigabytes of data – or more than 300 database backups dating from November 2020 through mid-October 2024 – belonging to dental clinics that are OrthoMinds clients.
“It was 300 files exposed, but some clients had multiple backup files that looked like they spanned through multiple years from the timestamps on the filenames, so the client number would be less than that,” he said. “It was at a minimum over 200,000 patients just by looking at one of the backups, but I have no clue how much more than that,” he told ISMG.
OrthoMinds initially reported the breach to federal regulators on Jan. 24 as a “hacking/IT incident” involving a network server and “other” IT. The company told the U.S. Department of Health and Human Services that the incident affected 501 individuals, but that estimate was likely a placeholder figure at the time.
OrthoMinds did not immediately respond to ISMG’s request for additional details about the incident, clarification about the actual number of individuals and clients affected, and whether the firm was filing an updated breach report to HHS OCR.
In a breach notice posted on its website, OrthoMinds said that it has no evidence indicating that information was misused or there were attempts to misuse to date.
OrthoMinds said it is offering complimentary credit monitoring to individuals whose Social Security numbers or payment card information may have been compromised in the incident.
“OrthoMinds also reviewed and enhanced existing policies and implemented additional technical security measures to further protect against similar incidents moving forward,” the company said.
Other Mishaps
Unfortunately, incidents involving the exposure of data to the internet because of IT misconfigurations or similar mishaps are a persistent problem in healthcare, as well as other sectors.
“What happened here was the company left a cloud storage server with no access controls and anyone who found this server could list all the files and download them with no authentication at all,” JayeLTee told ISMG.
Other security researchers have discovered similar incidents involving the exposure of unsecured health data to the web.
That includes researcher Jeremiah Fowler of security services firm Security Discovery in February disclosing the discovery of an unsecured database containing 2 terabytes of data allegedly exposing more than 1.6 million clinical trial research records to the internet related to Houston-based DM Clinical Research, a multi-therapeutic network of clinical trial sites (see: Clinical Trial Database Exposes 1.6M Records to Web).
That discovery was among many others by Fowler involving exposures of health data and other sensitive information (see: Mental Health Records Database Found Exposed on Web).
Federal regulators have taken HIPAA enforcement actions in at least one large incident involving protected health information exposure because of a misconfiguration (see: Clearinghouse Pays $250K Settlement in Web Exposure Breach).
“This is indeed really common – the exact reasons why this happens though is unknown to me, as I don’t ask why and companies don’t usually disclose it either,” JayeLTee told ISMG, while also talking about the reoccurring mishaps involving the unintentional leakage of sensitive data to the web.
“But it all comes down to companies not properly securing their environments and leaving data publicly exposed,” he said.