Security researcher Jeremiah Fowler together with the Website Planet research team discovered an open and non-password protected database that contained over 16,000 records. A limited sampling of 1,000 records was reviewed to identify who owned this data and notify them that sensitive information was exposed. Each record reviewed contained some form of personally identifiable information (PII) of children. The records appeared to be unique based on the Patient ID number. These included their names, date of birth, Patient ID number, home address, school attended, special needs, medical diagnoses, behavioral or social problems, and more data that appears to be recent. Upon further research references to Tridas eWriter, an online interview system operated by the Tridas Group LLC, were found. The Tridas Group LLC offers software that works with schools and parents to facilitate the diagnosis and management of children with ADHD, Autism, learning challenges, and other disorders or common conditions. The findings appeared to be a collection of records from Tridas eWriter questionnaires completed by parents, which the Tridas Center (where assessments of children would take place) suggested should be completed before the first evaluation appointment. We note that, according to the Tridas Center website, the Tridas Center closed on December, 31 2019. We immediately sent a responsible disclosure notice to the Tridas Group LLC and public access was restricted shortly after. According to their website: “Tridas eWriter brings together experts in child development and behavior along with experts in technology to create a groundbreaking Internet based application. Tridas eWriter provides secure, HIPAA compliant online questionnaires and it generates a detailed report that organizes the data in an easy-to-read format to facilitate the diagnosis and management of these complex challenges”.
The children were categorized with tags such as: Attention Difficulties, Behavior Difficulties, Autistic Like Symptoms, Emotional Issues, Learning Problems, Social Inter Concerns, Developmental Delay, and others. The most surprising part of the discovery was that these records appeared to include the parent’s summary or a questionnaire of their child’s condition. They were very detailed, some painted a complete picture of the child’s challenges, and in many cases, there were stories or situations to validate why they believed their child needed assistance. This information, once shared on the platform, should have only been made accessible to medical professionals. The data was, however, publicly accessible through a misconfigured IP that showed the host domain, login portal, and where the data was stored. Any potential exposure of medical or health records has a range of risks that could impact families and children.
The database included the following:
- Total Records Exposed: Over 16,000
- Internal records of questionnaires completed by parents that include the children’s first and last names, date of birth, physical address, name of the school they attend, parent’s phone number, and detailed physical or mental health information that should not have been publicly exposed. These notes provide profiles of the children’s issues or challenges including medical diagnosis, medicine prescribed, learning disabilities, violence, abuse, or other issues.
- Our findings were validated using a limited sampling of names that appear to be real people who share the same surname as individuals living at the addresses listed in the records according to publicly available resources.
The exposed individuals and users could be targeted for medical extortion, social engineering scams or phishing attacks based on exposed personal information, should any ill-intentioned hacker have discovered the database before it was secured. However, we cannot and do not know whether such hackers did so. The non-password-protected database was also at risk of a ransomware attack that could have encrypted the data. The exposed environment could have allowed cybercriminals to insert malicious code or identify vulnerabilities for a future cyber-attack.