CrelioHealth leak exposed 28M+ patient records

In Data Breach News, Healthcare
September 13, 2023

Human error in configuring data storage continues to result in massive leaks or potential leaks of personal and sensitive health data. In today’s news, we learned that CrelioHealth left an Elasticsearch cluster exposed. Luckily for them, it was a whitehat researcher, Bob Diachenko of SecurityDiscovery, who spotted the problem and contacted them to alert them.

According to media coverage by Cybernews, the types of information included:

  • Patient passport or ID number
  • Full name
  • Gender
  • Nationality
  • Mobile (if specified)
  • Address (if specified)
  • Email (if specified)
  • Date of birth
  • Other data (service indicator, control ID, lab sample ID, personnel log used in HL7 messaging standard format)

The company reportedly told Diachenko that the exposure had just happened that day during some migration and they responded promptly to his alert and secured it.