Healthcare startup Lyfebin exposed thousands of medical imaging files, such as X-rays, MRI scans and ultrasounds.
The Los Angeles-based healthcare startup allows doctors and medical staff to store medical images in its "secure environment," per its website, allowing patients and doctors access from anywhere.
But the files were found stored in an unprotected Amazon Web Services (AWS) storage bucket, without a password, allowing anyone who knew the easy-to-guess web address access to the data.
The files were dated between September 2018 to October 2019.
After we reached out to warn of the security lapse, Lyfebin secured the data.
The storage bucket contained more than 93,000 files — many appeared to be duplicates — containing medical scans. The files were stored in the DICOM format, a common file type used by medical imaging equipment. When opened, DICOM files contain the images from the scan as well as other metadata, such as the patient's date of birth and the name of the physician.
When asked, Lyfebin wouldn't say how many individual patients were affected. Instead, an unnamed company spokesperson claimed that the bucket was a "test environment where we use fake accounts and fake patient accounts to test out new features," but provided no evidence to support the claim. (We asked several times for the spokesperson's name, but the company representative stopped returning our emails.)
One of the scans found in the exposed storage bucket
"When we ingest patient information into our servers, we remove all identifying information," the unnamed spokesperson said. "No patient information has been exposed," they added.
Many of the files appeared to be anonymized to some degree, though we found evidence of some potentially identifiable information — including physician names and the patient's gender and date-of-birth, even if the patient's name had been scrambled from the file's cover sheet.
One file we examined still contained a name. The file had enough identifiable information to allow us to search for the person using public records. When reached, the person could not recall the specific date of their scan.
When asked to clarify, the unnamed spokesperson repeated the claim that the data contained "fake patient information," then threatened TechCrunch with legal action.
"If published, our legal team will review your article for any inaccuracies and will sue with the highest extent of the law for any malfeasance by you or TechCrunch," the spokesperson said.
Lyfebin did not answer our other questions, including how long the bucket was exposed. The company would not say if the company plans to inform customers of the security lapse, nor would it say if it planned to disclose the incident to local authorities per state data breach notification laws.
- Over 750,000 applications for US birth certificate copies exposed online
- Sprint contractor left thousands of US cell phone bills exposed
- Tuft & Needle exposed thousands of customer shipping labels
- StockX was hacked, exposing millions of customers’ data
- Stop saying, ‘We take your privacy and security seriously’