Breaches at MedicareSupplement.com and Summa Health Impacts At Least 5 Million-Records

The personal information of roughly 5 million people stored in a MongoDB database were freely accessible on the internet. MedicareSupplement.com is the owner of the database made up of personal and health information. TZ Insurance Solutions operates MedicareSupplement.com, which people use to find a Medigap insurance coverage. People in need of coverage could check out the website to get more info about good health plans and can receive quotes by filling out an online form with their personal information.

Security researcher Bob Diachenko and Compariteh researchers discovered the unsecured database on May 13, 2019. Information such as name, address, IP address, email address, telephone number, birth date, gender, health data, lifestyle information, auto and supplemental insurance plan of approximately 239,000 records were contained in the database.

For how long the database remained exposed is unclear. But it was discovered that on May 10, 2019, the BinaryEdge search engine spidered the database. The researchers informed MedicareSupplement.com regarding the breach. Though there was no response, the database was secured. Without the authentication controls, hackers could potentially erased or modified data or installed malware.

Summa Health in Akron, OH also had a breach where the email accounts of its employees were accessed by unauthorized people. Patient data may have been viewed or copied.

Summa Health discovered the breach on May 1, 2019. Investigators verified the report of two employee email accounts compromised in August 2018, in March 11 and in March 29 because of employees responding to phishing emails.

A leading computer forensics company investigated the breach and confirmed the email accountsl and potential viewing of protected health information (PHI). No evidence showed that patient data was viewed or stolen, but its likelihood cannot be ruled out. For the majority of patients, their names, birth dates, certain clinical and treatment data, patient account numbers and health record numbers were exposed. The Social Security numbers or driver’s license numbers of some patients were likewise compromised.

To prevent similar email security breaches, Summa Health is implementing extra security controls. Employees will get more training on privacy and security. Summa Health has no mention of the number of patients affected by this breach, though the breach is said to have affected more than 500 people.