An uncertain MongoDB case of the MedicareSupplement.com health insurance marketing website was discovered online last month with up to 5 million records. The data cache included personal and health information.
TZ Insurance Solutions owns and manages MedicareSupplement.com. It aims to help people find an appropriate Medigap insurance plan, a form of private health insurance which does not cover the original medicine. According to its Facebook page, over 400,000 people have been helped to find an insurance plan.
The way the website works is by comparing the health plans available outside Medicare to potential customers. To receive a free quote, users must enter personal information in an online form.
MongoDB instance of marketing leads
Researchers from Compariteh, security professionals who have experienced in online detection of unprotected sensitive data, uncovered the public database on 13 May.
In a Thursday blog post, the researchers observe that the instance of MongoDB they found appears to be part of the website’s leading database.
The details are enough to identify people and determine their interest in health insurance. They included full names, e-mail addresses, birth dates, gender, phone numbers, and IP addresses. This included full addresses.
“Some records—about 239,000—also indicated insurance interest area, for example, cancer insurance. Data was spread around several categories, including life, auto, medical, and supplemental insurance.”
Hushed fix delivered
On May 10, BinaryEdge digital asset search engine indexed the database. However, before this date information could have been available and it is not clear how long it has been exposed to it or if it has been accessed by malicious parties.
The researchers contacted MedicareSupplement.com to alert them about their exposure, but representatives of the site did not reply. They modified the MongoDB server configuration to protect the database.
Diachenko warns against potential risks from such incidents by saying that the lack of authentication invites hackers to access and install malware on open MongoDB servers.
An attacker would also be given full management privileges on the system so that they can remotely access server resources, “and even run code to steal or completely destroy any data stored on the server.” Individuals affected by this incidence of data exposure could become the targets of more carefully crafted spam messages, phishing and fraud.
Medicare Supplement has an excellent overall rating from customers sharing their experience with company agents on its review platform.