Hova Health Data Breach (2018)

On August 3rd, I have discovered that personal information of 2,373,764 patients from Mexico is publicly available through a misconfigured MongoDB instance. Data included such fields as: Full name and gender; CURP number (i.e. Personal ID Code Number, a unique identity code for both citizens and residents of Mexico); Insurance policy number and its expiration date; Date of birth; Home address; ‘Disability‘ and ‘migrant‘ flags […] Upon analyzing the content of database, I have identified the alleged owner of the information, Hova Health company, a telemedicine company “focused on two main areas: Telemedicine (Teleradiology – Telehealth) and software development for the health sector.”