More than 3 million user records tied to a medical software company called Adit have been found exposed online and may have been stolen by malicious actors.

Discovered by security researcher Bob Diachenko, who revealed it today, the data included full names, email addresses, home and work phone numbers, marital status, sex and medical practice name. The database was completely unsecured with no password or other authentication required to access it.

The company is somewhat difficult to track down. Diachenko noted that it took him some time to tie the database to Adit. While the company appears to have a website it was down at the time of writing. What is known is that the company offers software for online bookings and patient management at medical and dental practices. An Archive.org record from June shows that the company offers what it calls the “ultimate all-in-one practice growth platform.”

Diachenko found the database on July 13 and tried to reach out to the company with no success. The database is said to have been destroyed a week later and could have been possibly stolen by the meow bot. As with all personally identifiable information, the data could be used to phish or scam those listed in the database.

“This researcher’s discovery of Adit’s unsecured database and disclosure to the company is a textbook practice that ethical security researchers will do to help organizations proactively identify and close vulnerabilities before they can be exploited by bad actors,” Casey Ellis, founder and chief technology officer of crowdsourced cybersecurity platform company Bugcrowd Inc., told SiliconANGLE. “Unfortunately, Adit’s failure to respond to the researcher in time allowed a bot to delete and possibly steal the critical information belonging to millions of patients that were in the database.”

The exposure highlights the failure of both public and private sector organizations to cooperate with ethical security researchers, he added. “Organizations across all industries can benefit from having a vulnerability disclosure program in place,” he said. “This is because humans are prone to error and, when developers feel rushed to bring a new product or innovation to market, they will make mistakes along the way.”

Anurag Kahol, co-founder and CTO of cloud access security broker Bitglass Inc., noted that Gartner Inc. forecasts global information security spending to reach $123 billion this year, yet organizations continue to be plagued by easily preventable security failures like this one.

“This incident highlights how most organizations lack full visibility and control over their data, which are two critical components needed for a mature security program and to proactively prevent leaks and breaches,” Kahol said. “Obtaining full visibility and control over corporate data starts with a multifaceted approach to security. Specifically, solutions that enforce real-time access control, encrypt sensitive data at rest and manage the sharing of data with external parties can help proactively prevent data leakage.”

Image: Adit/Archive.org