Millions of patients of Mexican hospitals exposed through a misconfigured Kibana instance
Learn More
Cybernews researchers have uncovered a major data leak, exposing sensitive personal information of approximately 5.3 million patients of hospitals in Mexico—about 4% of the nation's population. The incident stems from a misconfigured Kibana instance, a tool commonly used for monitoring and analyzing data, which lacked proper password protection.
The misconfigured Kibana instance was traced back to eCareSoft Inc., a Texas-based software company specializing in cloud-based hospital information systems. Their platforms, used by over 30,000 doctors, 65 hospitals, and 110 outpatient care centers, manage various aspects of healthcare operations, including patient records, billing, and inventory.
The unsecured database contained 500GB of sensitive information, including:
- Names
- Ethnicities
- Nationalities
- Religions
- Blood types
- Dates of birth
- Genders
- Phone numbers
- Email addresses
- Clave Única de Registro de Población (CURP) numbers (Mexican personal identification numbers)
- Healthcare service charges
- Hospitals visited
- Payment request descriptions
While detailed health records were not part of the leaked data, the exposure of CURP numbers is particularly concerning. These identifiers, similar to Social Security numbers in the U.S., can be exploited for identity theft and other fraudulent activities.
After a report, the eCareSoft team promptly secured the open instance. However, at the time of reporting, it was unclear whether affected individuals and healthcare providers had been notified.
