More than 2 million medical data exposed in Mexico

On August 3, researcher Bob Diachenko discovered information of 2,373,764 patients in Mexico, publicly available through a poorly configured MongoDB instance, which contained data such as:

• full name and gender,
• CURP number (similar to Spanish ID card),
• insurance policy number and its expiration date,
• birthdate,
• home address,
• 'disability' and 'migrant' flags.

It is unknown who has had access to this database, as well as the time that has been available. The supposed owner is Hova Health company.

Once the company was informed about the researcher's finding, it analyzed and reviewed the entire infrastructure in order to prevent this type of vulnerabilities. After two hours, they claimed that the database was secured.