Security researcher Jeremiah Fowler and Website Planet discovered an unsecured database that belongs to Deep6.ai, an American medical AI platform provider. The database had more than 800 million files of patients and doctors and can be accessed online by any person without asking for a password.
Deep6.ai has created AI-based software that could be utilized on raw data to determine people with medical ailments that are not stated in their medical files. The software program is especially helpful for searching individuals who fit the conditions for clinical tests and can considerably reduce the time to locate appropriate trial participants.
The database included 68.53 GB of files and had 886,521,320 documents, the majority of which were related to persons in America. Although a few of the information was encrypted, physician notes and doctor data were in plain text and may be seen by anybody.
Fowler and Website Planet discovered the following information in the dataset: Date, document type, physician note, encounter IDs, patient IDs, uuid, noteId, patient type, note type, date of service, and specific note text. Physician notes comprised details of patients’ health problems, treatment, medicines, and in a number of cases, details regarding patients’ household, emotional and social concerns.
The dataset included three parts: A concept index made up of 21 million records that disclosed lab test results and medicines; a patient index that contain 422 million records that revealed internal patient logging and tracking procedures, though patient names were not kept in plain text; and a provider index, which contained 89,000 details that revealed doctor names, internal patient ID numbers, record locations and .CSV files, and other possibly sensitive details, with files stating where information is saved.
Besides compromising the information to anybody who can connect on the Internet, the database was additionally vulnerable to a ransomware attack. After exploring the database, Fowler and Website Planet were able to learn the database belonged to Deep6.ai. Adhering to responsible disclosure protocols, Deep6.ai was informed and the database was quickly protected. It is uncertain for how long the database was exposed on the internet and whether any person viewed the records during that time.