Security researcher Jeremiah Fowler and Website Planet discovered an unsecured database owned by Deep6.ai, an American medical AI platform provider. The database comprised over 800 million data of patients and consultants and can be accessed over the web by any person without needing a password.
Deep6.ai has designed AI-based software that may be applied to raw data to locate people having medical illnesses that are not noted in their medical files. The software program is notably valuable for locating people who match up with the standards for clinical studies and can substantially lessen the time to uncover ideal trial participants.
The database included 68.53 GB of data files and contained 886,521,320 documents, many of which were associated with persons in the U.S.. Though certain data was encrypted, physician notes and doctor data were in plain text and may be read by any person.
Fowler and Website Planet found this information in the dataset: Date, file type, physician note, patient IDs, encounter IDs, uuid, patient type, noteId, date of service, note type, and complete note text. Doctor notes comprised specifics of patients’ conditions, treatment, prescription drugs, and in certain cases, data concerning patients’ family members, social, and emotional problems.
The dataset contained 3 parts: A concept index made up of 21 million records that disclosed laboratory test data and drugs; a patient index that contain 422 million records that revealed internal patient logging and monitoring steps, even though patient names weren’t saved in plain text; and a provider index, which involved 89,000 details that uncovered doctor names, internal patient ID numbers, data locations and .CSV files, and other likely sensitive details, with files featuring where information is kept.
Aside from disclosing the information to anybody who could connect online, the database was likewise prone to a ransomware attack. After browsing the database, Fowler and Website Planet had determined the database was owned by Deep6.ai. Pursuing responsible disclosure procedures, Deep6.ai was advised and the database was promptly made secure. It is not clear how long the database was compromised on the web and whether any individual viewed the records during that moment.
