Oh, baby! Newborn-care website leaves database of medics wide open

Health Stream, are you out there? The guy that found your data leak wants a word

Doctor Nick Riviera

A US healthcare company seemingly exposed on the public internet contact information for roughly 10,000 medical professionals.

IT pro Brian Wethern said he warned Health Stream nine days ago that one of its now-removed websites had left a database of users out in the open, allowing anyone to slurp the first and last names of medics, and their email addresses and ID numbers. These professionals appear to be connected to Health Stream's Neonatal Resuscitation Program.

We're withholding the URL of the leaky website at this stage because its data is lingering in online caches.

Wethern told The Register he believes the company used the database to deliver messages from instructors to students – for example, to set up or confirm a class. The site hosting the information was taken offline shortly after Wethern reported it, and remains inaccessible. We have seen a copy of the database to verify it had indeed leaked online.

Spear-phishing opportunities

Had the data been accessed and copied by the wrong person, the email addresses could have been used for specific attacks on relatively high-value targets: medical professionals and instructors. More importantly, said Wethern, the fact that such a database was left open to the public wouldn't bode well for security on other parts of the website and its infrastructure.

"What I found was a front-side database," Wethern explained. "I don't need their passwords ... because I have the front-side database."

Health Stream did not return multiple requests for comment, so we are unable to get their side of the story. Wethern said he last heard from the Nashville-based biz eight days ago when it sent its first and only response to his privacy alert.

Now, Wethern said, he's going public in the hope other companies will be a bit more forthcoming and responsive to researchers who discover these sorts of data leaks.

"Hire a basic researcher, first and foremost. Allow your company to budget for these types of intrusions," Wethern suggested.

"And before this all happens, make sure to have a data breach summary in place. Be current with bug bounty programs, own up to your mistakes, and honor the fact that security researchers can be good people out to do good things." ®




Biting the hand that feeds IT © 1998–2018