Israel’s largest private hospital, the Herzliya Medical Center, has inadvertently exposed the data of at least 50,000 Israelis as part of a new test website it's working on, a cyber expert discovered this week.
The center, worth 1.5 billion shekel, is testing a new appointment-setting system and built a demo website for that end. According to Roni Suchowski, an experienced cyber researcher and founder of CISO Helper, “when I was using some network scanning software I arrived at one of their websites and there was a login screen.
"I tried logging in using ‘admin’ and ‘admin’ as a joke and it actually worked. I was inside,” he says.
According to Suchowski, as this was a demo site intended for testing purposes, it did not have any real defense mechanism - like a basic login authentication system.
However, despite this, it did make use of very real data from very real patients. In fact, the personal details of about 50,000 people were fed into the system and could thus be easily accessed.
Suchowski stumbled upon the site being developed by the medical center together with a firm called ONE. The website seemed empty, but some snooping by Suchowski revealed a page dedicated to “statistics” through which the data could be seen.
- You’ve got fake mail: Pro-Palestinian hackers behind massive phishing campaign targeting Israelis expecting packages
- Bahrain used Israeli NSO spyware to target pro-democracy activists, report finds
“They uploaded onto their demo site real live data from their running website - it actually updates every few minutes,” he says.
The data revealed included patient names, their ID numbers and, in some cases, the treatments they received (for example, a coronavirus test). Despite this, downloading the data was impossible and did require proper authentication.
Another thing that Suchowski discovered while roaming the test site was a list of usernames and passwords used by the private hospital to access other services. For example, he found the login details for a mass SMS-sending service the hospital uses to send messages to its patients. Suchowski’s discovery means that he and others could also use the SMS service in the hospital’s name and send out messages demanding payment, for example.
However, perhaps the biggest loophole he discovered was that he could use the demo site to access the hospital’s main database. Suchowski said he did enter it, but flagged it as a massive risk to the medical center and those who received treatment there.
“I didn’t test whether these different passwords worked or not - that would be a breach of my ethical lines - however it seems all these different services are accessible,” he says. Suchowski adds that the demo site has only been live for two weeks, “so I hope I caught it in time.” He made the discovery as part of what he terms a 100-day crusade to raise awareness for cyber security; Suchowski tweets daily about the different loopholes and exploits he finds.
This loophole was flagged for the medical center by Haaretz and it was fixed and is no longer active.
The Herzliya Medical Center said in response: “This is a system for setting appointments we have developed in partnership with ONE, which uploaded the demo for the sole purpose of showcasing the system. The demo is hosted on a different server than the one we use for the hospital or the ones used by ONE. A human error led to the demo system including an analytics element that also included the names, ID numbers and other data about past visitors to the website. There was no hack or breach of our systems and we follow all the standard security protocols.
“The moment the issue was found, the system was taken off the site and all the passwords were changed to make sure there is no exposure. We are studying the error as this was a rare case which will be learnt so it does not repeat itself.”