INSUBCONTINENT EXCLUSIVE:
Healthcare startup Lyfebin exposed thousands of medical imaging files, such as X-rays, MRI scans and ultrasounds.
The Los Angeles-based
healthcare startup allows doctors and medical staff to store medical images in its &secure environment,& per its website, allowing patients
and doctors access from anywhere.
But the files were found stored in an unprotected Amazon Web Services (AWS) storage bucket, without a
password, allowing anyone who knew the easy-to-guess web address access to the data.
The files were dated between September 2018 to October
2019.
After we reached out to warn of the security lapse, Lyfebin secured the data.
The storage bucket contained more than 93,000 files —
many appeared to be duplicates — containing medical scans
The files were stored in the DICOM format, a common file type used by medical imaging equipment
When opened, DICOM files contain the images from the scan as well as other metadata, such as the patient date of birth and the name of the
physician.
When asked, Lyfebin wouldn&t say how many individual patients were affected
Instead, an unnamed company spokesperson claimed that the bucket was a &test environment where we use fake accounts and fake patient
accounts to test out new features,& but provided no evidence to support the claim
(We asked several times for the spokesperson name, but the company representative stopped returning our emails.)
One of the scans found in
the exposed storage bucket
&When we ingest patient information into our servers, we remove all identifying information,& the unnamed
&No patient information has been exposed,& they added.
Many of the files appeared to be anonymized to some degree, though we found evidence
of some potentially identifiable information — including physician names and the patient gender and date-of-birth, even if the patient
name had been scrambled from the file cover sheet.
One file we examined still contained a name
The file had enough identifiable information to allow us to search for the person using public records
When reached, the person could not recall the specific date of their scan.
When asked to clarify, the unnamed spokesperson repeated the
claim that the data contained &fake patient information,& thenthreatened TechCrunch with legal action.
&If published, our legal team will
review your article for any inaccuracies and will sue with the highest extent of the law for any malfeasance by you or TechCrunch,& the
spokesperson said.
Lyfebin did not answer our other questions, including how long the bucket was exposed
The company would not say if the company plans to inform customers of the security lapse, nor would it say if it planned to disclose the
incident to local authorities per state data breach notification laws.
Read more:
Over 750,000 applications for US birth certificate copies
exposed online
Sprint contractor left thousands of US cell phone bills exposed
Tuft - Needle exposed thousands of customer shipping
labels
StockX was hacked, exposing millions of customers& data
Stop saying, ‘We take your privacy and security seriously&