MedicareSupplement.com is using an unsecure, public database.
Last week, Inside Digital Health™ reported that the use of an unsecure database, MongoDB, could have put thousands of patients who use Vascepa at risk of attack. But more than one healthcare organization is using the public database to store data.
Comparitech and security researcher Bob Diachenko today said they uncovered that an online database of more than 5 million records belonging to MedicareSupplement.com was left open and accessible to the public.
The researchers are unaware if an unauthorized user gained access to the database.
MedicareSupplement.com is an insurance marketing website that helps users find supplemental medical insurance. Users must enter personal information to receive a quote.
Approximately 239,000 records also indicated insurance interest area like cancer, life and auto.
Inside Digital Health™ made several attempts to speak to a spokesperson from Medicare Supplement but could not reach anyone.
Diachenko said there are ramifications of exposing databases such as MongoDB without a password or other authentication.
“I have previously reported that the lack of authentication allows the installation of malware or ransomware on the MongoDB servers,” he said. “The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges.”
When the malware is in place, criminals can remotely access server resources and launch a code to steal or destroy any saved data on the server.
Diachenko and Comparitech warn anyone who has used MedicareSupplement.com in the past to look out for medical identity theft and to learn how to spot phishing emails.
Get the best insights in digital health directly to your inbox.