The case was revealed by Jakub Staśkiewicz, author of the blog. An anonymous reader also contributed to publicizing it and informed about security gaps in office software. Staśkiewicz decided to look into the problem and confirmed that it occurs in applications used by pharmacies, medical offices and clinics – a total of several thousand medical entities. According to the anonymous whistleblower who drew attention to the case, unauthorized persons could thus gain access to the data of up to 10 million Polish patients.
Vulnerability in applications used by medical offices. Data of millions of patients were exposed
The applications where the problem was detected are used to handle patient visits. Personal and contact details, as well as medical records were at risk of theft. Moreover, a security flaw could allow cybercriminals to gain access to the e-WUŚ system. In this way, unauthorized persons could, among other things, issue sick leaves, referrals for tests or reimbursed prescriptions.
“The problem, in a nutshell, was that the databases of these applications are available on the Internet, and access to them is always done using the same (but different for each manufacturer) credentials embedded in the code. This vulnerability is called ‘ hard-coded credentials’ and the MITRE matrix was assigned the identifier CWE-798,” explains Staśkiewicz. Unauthorized persons could gain access to data using default passwords. In some cases, users learn about them at the application installation stage. In others, they were available in the installer file.
“We were threatened with an earthquake”
Staśkiewicz determined that the targeted applications were drEryk, mMedica Asseco, EuroSoft Przychodnia and SimpleCare. The case was reported to CERT Polska – a team responding to network security breaches. The problems were corrected before the article was published on OpenSecurity.pl. Staśkiewicz estimates that the disclosure of the case by an engaged reader “saved us from an earthquake.” “Today we would probably read not about patched vulnerabilities, but about sensitive data of millions of Poles circulating on the dark web,” he adds.
Source: Gazeta
Mabel is a talented author and journalist with a passion for all things technology. As an experienced writer for the 247 News Agency, she has established a reputation for her in-depth reporting and expert analysis on the latest developments in the tech industry.
