Post: Private Info of Over 1.5M Donors Exposed by UChicago Medicine

The full article can be found Here

Key notes

The personal information of more than 1,6 million potential and existing University of Chicago Medicine donors were exposed by a misconfigured and unprotected ElasticSearch server left open on the Internet without a password.

Further investigation of the exposed donor records allowed the researcher to find that each of them contained personally identifying information (PII) data such:

After taking a closed look at the exposed data, Diachenko learned that the huge 34GB-sized ElasticSearch cluster named ‘data-ucmbsd2’ contained 1,679,993 records which could have been accessed by anyone who knew where and how to look for it.

List of data leaked

• Full name

• Date of birth

• Full address

• Phone number(s)

• Emails

• Gender

• Marital status

• Wealth info and current status

• Communication notes

Response from the university

We are conducting a comprehensive forensic investigation and have determined that no unauthorized parties – beyond this security researcher – accessed the information in the database. The researcher confirmed that he never downloaded the full database and only accessed a limited number of records. The database included limited personal information, and there was no exposure of social security numbers, credit card or banking information. For some records in the database, the names and clinical areas of physicians who treated patients were also included, but the database contained no detailed information from the patients’ medical record.