A huge trove of patient data leaks, thanks to telemarketers' bad security
A trove of records containing personal and health information on close to a million people was exposed after a former developer working at a telemarketing company uploaded a backup of its database to the internet.
The backup database of 918,000 people belongs to a Baco Raton, Fla.-based telemarketing company, HealthNow Networks (not affiliated with the BlueCross BlueShield), which provides medical supplies and equipment to mostly older patients who rely on diabetic support.
Security
The database was initially found on March 25 by a Twitter user named "Flash Gordon" on an Amazon Web Services instance at an IP address that was found on Shodan, a search engine for open ports and databases.
The data contained personal and health-related information, such as names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, health insurance information, and other data relating to the types of health problems the individuals have regarding the products they need, though many of the records were truncated or incomplete.
An examination showed that the database was used to market products to thousands of customers by telemarketers at HealthNow -- no longer a registered business as of 2015. Several records we've seen included customized notes written by staff who were tasked with calling customers, such as when they are home and any other relevant information on the subject.
But that didn't stop many from turning over their health insurance information to the telemarketers, under the impression they would in return get medical supplies at a lower or discounted price.
A joint investigation by ZDNet and DataBreaches.net (you can read more about the case here) resulted in the data being secured. We also found the developer responsible for the exposure.
HealthNow is owned by Dino Romano, a former Unistar executive and securities fraud recidivist. It ceased as a business in 2015 after failing to file an annual report with the Florida authorities. The company is one of many ventures over the past few years by Romano, many of which were opened and closed in a short space of time.
When contacted, Daynier Brown, a software developer contracted to work on building a customer database for Romano, confirmed he obtained a copy of the database during the time he worked for Romano. In a phone call this week, Brown said he found the backup drive on a failing hard drive on a development server he owned from his previous HealthNow project. He spun the data out on an Amazon Web Service instance he owned, which pointed to MediboxSolutions.com, a website owned by Brown, intended to eventually provide customer database solutions for medical services.
"It was too much work, and it didn't pan out," he explained.
But Brown, who said he hadn't worked for Romano in over three years, wouldn't say why he had the data all this time, why he still had it, or why he didn't delete the data after he stopped working for HealthNow. He also couldn't say why the database was stored in an unencrypted format.
After numerous requests by both ZDNet and DataBreaches.net for Brown to review the server logs, Brown would not confirm how many people may have improperly accessed the data.
Brown also refused to say how long the database was stored on the instance, though the time stamp on the database was backed up in September 2016, more than a year after HealthNow was dissolved.
Brown said that he has since deleted the database.
We sent several questions to numerous email addresses associated with Romano, to ask who else had access to the database, among other questions, but Romano did not respond.
An analysis of the database by DataBreaches.net showed the majority of the records were associated with plan subscribers UnitedHealthcare, Aetna, and Cigna, as well as Blue Cross Blue Shield, which said in a comment that it was now "aware of this scheme involving a suspicious telemarketing company that has no association with our organization, and we alerted law enforcement, including the FBI, to this issue."
The company also said in its privacy policy that it isn't covered under US healthcare privacy laws (HIPAA), making any federal enforcement action difficult.
The Federal Trade Commission (FTC) has however already investigated numerous medical equipment businesses and settled charges, as recently as 2014.
An FTC spokesperson said that its orders "typically have monitoring and reporting requirements to help ensure that defendants under order do not engage in future illegal conduct and the FTC regularly monitors consumer complaints that can highlight particular areas of consumer concern."
We also provided the database to Troy Hunt, security researcher and owner of breach notification site Have I Been Pwned, who also analyzed the data. Hunt confirmed there was 321,920 unique email addresses in the database that can be notified about their data having been exposed, and around 80 percent of those records were already in his database.
Hunt said that concerned subscribers can now search through the data in Have I Been Pwned.
VIDEO: Hackers can steal your data from a PC's blinking LED lights