Security researcher Jeremiah Fowler together with the WebsitePlanet research team found an unprotected database belonging to Deep6. The records appear to contain data of those based in the United States.
Update: Deep6 reached out and said the news is misleading, saying “In August, a security researcher accessed a test environment that contained dummy data from MIT’s Medical Information Mart of Intensive Care (MIMIC) system, an industry standard source for de-identified health-related test data. To confirm, no real patient data or records were included in this ephemeral test environment, and it was completely isolated from our production systems.”
Meanwhile, according to WebsitePlanet, Mr. Fowler said, “I sent 3 follow up emails on Aug 11, Aug 12, Aug 23. No one has ever replied since the first message on Aug 10th. I validated that the doctor’s names were real individuals by searching obscure names (see screenshot). This is highly unusual in my experience to use real individuals’ data in a ‘dummy environment’ under any circumstances. Because no one replied, we added our disclaimer that we are highlighting that no patient data appeared in plain text, the records were “medical related”, and we never implied any wrongdoing or risk.”
Check It Out: (Update) Medical AI Company ‘Deep6’ Leaks 68 GB Trove of Patient Records
Andrew:
Two sentences say it all:
‘Security researcher Jeremiah Fowler together with the Website Planet research team discovered a non-password protected database that contained 886,521,320 records.’
‘The exposed records revealed Physician Notes that provided intimate details of patient illness, treatment, medication, family, social and even emotional issues.’
Res Ipsa Loquitor https://en.wikipedia.org/wiki/Res_ipsa_loquitur?wprov=sfti1
If one physician did this to one patient, that one physician would be disciplined by the Board of Medical Quality Assurance, likely lose their licence and be subject to prosecution. But a company that does this with 0.9 billion records? Oh, that’s right; they’re not medical professionals, so let’s not hold them to that standard, AND they can have your medical records.
It is mind-numblingly perplexing that this level of negligence is not being criminally prosecuted, and yet, the offence is so common that it is relegated to off-beat media.
Perhaps the next physician reported for breaching patient confidentiality should plead that they’re just a computer engineer. Or a social media platform.