CAse Study

Patient Details and Medical Records Secured: CloudSEK protects Healthcare Organization

Ensuring the security of a major Indian healthcare company by addressing a misconfigured API leaking sensitive personal and medical information.

the customer

A major Indian healthcare company

Industry

Healthcare

Geography

India

CloudsEK Product
BeVigil
BeVigil
Modules
API Scanner
Attack vector

Misconfigured API

USe Case

Leakage of personal and medical information, including full names, DOB, mobile numbers, addresses, and medical reports, through a misconfigured API

Sensitive Information Exposure Prevented

Personal and medical information leaked via a misconfigured API

Unauthorized Access Prevented

Potential unauthorized access to ABHA accounts and medical data averted

Enhanced Data Protection

Strengthened monitoring and security protocols implemented

Ready to get started?

Request a Demo

Challenge

CloudSEK BeVigil discovered a misconfigured API in a JavaScript file associated with a major Indian healthcare company's asset. The exposed API keys and authentication tokens provided unauthenticated access to sensitive endpoints, allowing unauthorized users to access personal and medical information. This included the ability to download medical reports and potentially take over Ayushman Bharat accounts using leaked tokens.

Impact

Unauthorized access to personal medical data can result in significant privacy violations, identity theft, and fraud. Healthcare providers may face legal liabilities and reputational damage due to the exposure of patient information. Additionally, patient safety could be compromised if sensitive medical data is accessed or tampered with, leading to incorrect medical treatments

Solution

CloudSEK BeVigil promptly identified and secured the misconfigured API, ensuring the exposed data was protected and access was restricted.

Implementation:

Detection:

CloudSEK BeVigil discovered the misconfigured API in a JavaScript file associated with the healthcare company's asset.

Threat Analysis:

• The exposed API keys and authentication tokens provided unauthenticated access to sensitive endpoints, allowing unauthorized users to access personal and medical information.

• The analysis revealed the potential for unauthorized access to ABHA accounts and the ability to download medical reports.

Immediate Actions:

• The healthcare company's infosec team secured the misconfigured API based on CloudSEK advice to prevent further unauthorized access.

Access controls were implemented to enforce the principle of least privilege, using OAuth 2.0 or API keys for authentication.

API key rotation and rate-limiting controls were put in place to prevent abuse.

Preventive Measures:

Role-Based Access Control (RBAC) principles were applied to manage access based on user roles

• Employees were educated on the importance of securing sensitive information and following best practices for API security