Cloud-based laboratory information management system, CrelioHealth, suffered a significant data breach that exposed the sensitive information of tens of thousands of individuals.
Furthermore, the breach occurred due to an open Elasticsearch cluster containing millions of lab records, including data from the National Reference Laboratory in the United Arab Emirates. SecurityDiscovery CEO Bob Diachenko estimates that over 28 million records were exposed, potentially impacting 50,000 to 100,000 people. The exposed data included passport numbers, names, genders, nationalities, and more.
CrelioHealth attributed the exposure to an accidental assignment of a public IP address during a data migration process. The company claimed to have taken immediate action to address the breach and implement security measures to protect the compromised data.
However, the incident highlights the potential risks associated with such breaches, including identity theft, phishing attacks, and fraudulent activities.
Mantas Sasnauskas, head of the Cybernews research team, emphasized the importance of robust data security measures and regular audits to prevent such leaks.
The incident could have violated privacy laws, such as the Health Insurance Portability and Accountability Act in the US and the General Data Protection Regulation in the EU. Additionally, threat actors could exploit the leaked data to gain unauthorized access to sensitive systems.
