An unsecured database belonging to the American medical AI platform provider Deep6.ai has been identified by security researcher Jeremiah Fowler and Website Planet. The database contained more than 800 million records of patients and physicians and could be accessed over the Internet by anyone without requiring a password.
Deep6.ai has developed AI-based software that can be used on raw data to identify individuals with medical conditions that are not mentioned in their medical records. The software is particularly useful for finding individuals who match the criteria for clinical trials and can significantly shorten the time to find suitable trial participants.
The database contained 68.53 GB of data and included 886,521,320 records, most of which related to individuals in the United States. While some of the information was encrypted, physician notes and physician information were in plain text and could be viewed by anyone.
Fowler and Website Planet identified the following information in the dataset: Date, document type, physician note, encounter IDs, patient IDs, notes, uuid, patient type, noteId, date of service, note type, and detailed note text. Physician notes contained details of patients’ illnesses, treatment, medications, and in some cases, information about patients’ family, social, and emotional issues.
The dataset consisted of three parts: A concept index containing 21 million records that exposed lab test results and medications; a patient index containing 422 million records that exposed internal patient logging and tracking processes, although patient names were not stored in plain text; and a provider index, which included 89,000 records that exposed physician names, internal patient ID numbers, document locations and .CSV files, and other potentially sensitive information, with files showing where data are stored.
In addition to exposing the data to anyone with an Internet connection, the database was also vulnerable to a ransomware attack. After searching the database, Fowler and Website Planet were able to determine the database belonged to Deep6.ai. Following responsible disclosure practices, Deep6.ai was notified and the database was immediately secured. It is unclear for how long the database was exposed online and whether anyone accessed the data during that window of opportunity.
The post Medical AI Database Containing More Than 800 Million Records Exposed Online appeared first on HIPAA Journal.