Emory Healthcare Database Breach: What Happened?Misconfigured MongoDB and Similar Databases Still Falling Victim to Attacks
An attack on a database used by Emory Healthcare for patient appointments is the largest health data breach reported to federal regulators so far in 2017. The incident, which exposed data on almost 80,000 individuals, seems to spotlight a persistent problem facing a growing number of organizations that use misconfigured MongoDB and other similar databases, security exerts say (see Database Hijackings: Who's Next?).
In a statement posted on its website, Atlanta, Ga.-based Emory Healthcare says that on Jan. 3, the organization "learned that there was unauthorized access to [its patient appointment] waits & delays database around the New Year's weekend after someone deleted the database and demanded that EHC pay to have it restored."
In addition to the extortion attack on the database, Emory Healthcare says in its notification statement that it also learned "that there was another unauthorized access by an independent security research center that searches out vulnerabilities in applications and traditionally notifies the company so that it can be remedied."
The unnamed independent security research firm referenced by Emory in its statement is believed to be MacKeeper Security Research Center. That's because Mackeeper wrote in a Jan. 4 blog that on Dec. 30, its security researchers discovered a misconfigured Mongo database that "contained hundreds of thousands of what appeared to be patient records and other sensitive information," belonging to Emory Healthcare. "The IP was hosted on Google Cloud and results for domain names hosted on that address (Reverse IP) identified Emory Brain Health Center," MacKeeper wrote.
According to the Department of Health and Human Services' Office for Civil Rights "wall of shame" tally of health data breaches affecting 500 or more individuals, the Emory Healthcare incident, reported to HHS on Feb. 21, affected 79,930 individuals, making it the largest breach added to the tally this year.
Emory Healthcare, which includes 200 locations, including six hospitals, did not immediately respond to Information Security Media Group's inquiry about whether the attacked patient appointment database was a MongoDB installation.
But Robert Diachenko, a MacKeeper security researcher, tells ISMG that while the "independent security research firm" Emory refers to in its notice is likely Mackeeper, "there was no unauthorized access from our side. What we do during our security audit research is analysis of data received via publicly available Shodan API."
When MacKeeper reached out to Emory about its Dec. 30 discovery of an alleged misconfigured Mongo database containing what appeared to be information on thousands of patients, "we never heard back from Emory," Diachenko says. "When we went back to review the data, it was identified that the database had been a victim of the [hacker] Harak1r1 ...," he says.
"This non-traditional ransom method actually takes and removes the victims' data and holds it until the ransom is paid. The data is wiped out completely from the database and is not simply encrypted like most common types of ransomware attacks," MacKeeper writes in its Jan. 4 blog about its alleged Emory Healthcare related findings.
In a statement provided to ISMG, Emory Healthcare says that once it learned that this third-party database was accessed improperly, "we immediately initiated an internal investigation, alerted law enforcement and are in the process of notifying impacted patients. Additionally, we are taking this opportunity to further review and refine our security measures relating to internal and third-party computer systems."
Affected data includes information used in updating appointment information, including patients' names, dates of birth, contact information, internal medical record numbers, and basic appointment information such as dates of service, physician names and whether patients required imaging - but not the type of imaging, Emory says in its statement.
"It is important to note that EHC does not have any indication that any patient information has been used inappropriately," Emory says in the notification statement posted on its website.
In a statement provided to the blog Databreaches.net, Emory says it did not pay the ransom demanded by the attacker.
Extortion-related attacks, such as the one that targeted Emory Healthcare, have hit potentially thousands of organizations in recent months, some experts say.
"This is still an issue and, apparently, will be an issue for long time," says MacKeeper's Diachenko. "As we see, during the past 50 days, hackers hijacked and ransomed almost 41,000 MongoDB servers. There are 22 ransomware groups detected, not only Harak1r1."
But it's not just healthcare-related organizations that have fallen victim to MongoDB related security incidents. For instance, toy maker Spiral Toys, which manufacturers the CloudPets line of Bluetooth-enabled "smart toys," is under privacy fire for exposing 821,000 user records online, as well as links to 2.2 million parent and child voice recordings captured by its interactive toys and related apps (see Don't Hug These Internet Connected Stuffed Toys). Australian developer and "Have I Been Pwned" administrator Troy Hunt alleges Spiral Toys committed numerous information security errors contributing to its problems, including exposed MongoDB databases that required no passwords for access. Those databases allegedly contain user account information, which was indexed by the internet-connected device search engine Shodan.
Still, it's not just the open-source MongoDB that's been targeted by attackers, Diachenko says. "They have significantly expanded their geography and target other ... databases, such as ElasticSearch, CouchDB, Cassandra, etc.," he says.
A spokesman for MongoDB Inc. tells ISMG that he cannot confirm the number of MongoDB servers that MacKeeper says have been attacked. "However, the vulnerable instances of MongoDB are unsecured and left open on the internet," the spokesman says. "We strongly encourage all users to take adequate steps to secure their data by using the many security features available in the product."
In a recent blog posting, MongoDB Inc. also offers other suggested best practices for safeguarding its databases, including enforcing authentication, enabling access control and limiting network exposure.
Diachenko of MacKeeper offers similar recommendations to organizations using MongoDBs. "The best advice would be to double check external network configuration - including MongoDB - and make sure that there is an authentication in place. If access control is configured correctly, attackers should not have been able to gain access to your data. When access control is enabled, audit the system logs for unauthorized access attempts or suspicious activity."
The attacks on MongoDB appear to have begun occurring since at least late 2016. Researcher Victor Gevers, co-founder of the not-for-profit GDI Foundation, said in January that he discovered in December that a hacker dubbed Harak1r1 was compromising misconfigured MongoDB servers left open to external connections and attempting to extort ransoms for stolen data after erasing the databases.