• Home
  • Blog
  • Facebook
  • LinkedIn
  • Twitter
Menu

Peter Cavicchia

Street Address
City, State, Zip
Phone Number

Your Custom Text Here

Peter Cavicchia

  • Home
  • Blog
  • Facebook
  • LinkedIn
  • Twitter

Data Leak Exposes 38M Records, Including COVID-19 Public Health Data

September 3, 2021 Pete Cavicchia
matrix-434033_1280.jpg

A new report from cybersecurity firm UpGuard unearthed data leaks from 47 different organizations. This compromised 38 million records.

The leak is due to default permissions tied to Microsoft Power Apps portals. This latest data reveal is significant because some of the affected companies and businesses included state governmental public health organizations.

Healthcare IT News spoke with a Microsoft representative who made clear that just a small subset of customers had the portal configurations set to make this data vulnerable. Microsoft asserts that Design Studio, the portal designer, “uses strong privacy settings by default.”

“Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs," the spokesperson told Healthcare IT News.

The data that was leaked is certainly sensitive. It includes personal information used for COVID-19 contact tracing, vaccination appointments, health worker employee IDs, and Social Security numbers, among other data.

"In cases like registration pages for COVID-19 vaccinations, there are data types that should be public, like the locations of vaccination sites and available appointment times, and sensitive data that should be private, like the personally identifying information of the people being vaccinated," UpGuard researchers state in their report.

"The number of accounts exposing sensitive information, however, indicates that the risk of this feature — the likelihood and impact of its misconfiguration – has not been adequately appreciated," the report continued.  

After identifying the data leaks, UpGuard notified Microsoft as well as the affected organizations. Some examples include the Indiana Department of Health and the Maryland Department of Health.

"This research presents an example of a larger theme, which is how to manage third-party risks (and exposures) posed by platforms that don't slot neatly into vulnerability disclosure programs as we know them today, but still present as security issues," the UpGuard researchers add.

For its part, the Indiana Department of Health stated that UpGuard “inappropriately accessed” the data, a claim that the cybersecurity organization dispute.

UpGuard states they did not “exceed our authorized access, and while the data should not have been public, the nature of the data could only be ascertained by downloading and analyzing it,” Healthcare IT News reports.

Tags UpGuard, Microsoft Power Apps