Up to 200,000 patient records from Office 365 and Google G Suite exposed by hardcoded credentials and other improper access controls.

Developer error caused the leak of 150,000 to 200,000 patient health records stored in productivity apps from Microsoft and Google that were recently found on GitHub.

Dutch researcher Jelle Ursem discovered nine separate files of highly sensitive personal health information (PHI) from apps such as Office 365 and Google G Suite from nine separate health organizations. He had difficulty reaching the companies whose data had been leaked and so eventually reported the breach to DataBreaches.net, which worked with him to publish a collaborative paper, “No Hack When It’s Leaking,” on the findings.

The title refers to the discovery that the information was exposed not through an attack or unaurhtorized entry into the health systems, but because of developers’ improper configuration of access controls and hardcoded credentials in the storing of the information, according to the paper.

Among the errors developers made included: Embedding hard-coded login credentials in code instead of making them a configuration option on the server the code runs on; using public repositories instead of private repositories; failing to use two-factor or multifactor authentication for email accounts; and/or abandoning repositories instead of deleting them when no longer needed, they wrote.

#privacy #cloud storage #data leak #developers #github #security