CloudSEK Success Stories
4
mins read

Exposed! How a Single API Flaw Put Millions of Medical Records at Risk 🚨

🚨 Hidden API Flaws Are Putting Millions at Risk! In today’s digital world, APIs power seamless connectivity, but when misconfigured, they become a hacker’s playground. A shocking discovery by CloudSEK’s BeVigil platform exposed major API vulnerabilities in a healthcare diagnostic chain, leaking sensitive personal and medical data—including names, reports, and even access to accounts! This breach isn’t just a technical flaw; it’s a ticking time bomb for identity theft, legal repercussions, and patient safety. Discover how attackers exploited unsecured endpoints and what security measures can prevent these catastrophic risks. Read on to protect your data before it’s too late! 🔥

Niharika Ray
February 7, 2025
Green Alert
Last Update posted on
June 9, 2025
Stay Ahead of External Threats with comprehensive Attack Surface Monitoring

Did you know that 70% of successful breaches are perpetrated by external actors exploiting vulnerabilities in an organization's attack surface? With CloudSEK BeVigil Enterprise, you can proactively detect and mitigate potential threats, ensuring a robust defense against cyber attacks.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Mayank Pandey

The Silent Threat: Misconfigured APIs Exposing Sensitive Data

In today's interconnected world, APIs serve as the backbone of digital ecosystems, enabling seamless communication between services. However, the increasing reliance on APIs comes with its share of risks, especially when they are not properly secured. A recent investigation by CloudSEK’s BeVigil platform revealed critical vulnerabilities within a prominent diagnostic chain’s API infrastructure, exposing highly sensitive personal and medical data.

This blog unpacks the findings from BeVigil’s research, explores the potential consequences of such breaches, and offers actionable recommendations to mitigate risks and enhance API security.

Cracking the Code

CloudSEK’s BeVigil platform uncovered several vulnerabilities arising from a JavaScript file publicly accessible on the clients web assets. This file contained sensitive API keys, authentication tokens, and unsecured endpoints, granting unauthorized access to critical systems.

BeVigil’s Web App Scanner identified several key findings, including:

  • Exposed Personal Information: Names, addresses, mobile numbers, and medical reports were accessible without proper authentication.
  • Unprotected ABHA Accounts: Misconfigurations allowed attackers to take over accounts or create fraudulent profiles.

Compromised APIs: Flaws in both Admin and Live APIs left the client vulnerable to exploitation, risking the integrity of sensitive user data.

More Than Just a Data Breach

The vulnerabilities discovered in the clients API infrastructure go beyond technical flaws; they pose serious risks with far-reaching implications and large-scale misuse of healthcare data.

  1. Unauthorized Data Access: Sensitive personal and medical information was exposed, violating patient confidentiality and privacy.
  2. Identity Theft: Leaked data could enable fraudsters to engage in identity theft, insurance fraud, and other malicious activities.
  3. Healthcare Liability: The incident puts healthcare providers at risk of legal consequences for failing to protect sensitive health information.
  4. Patient Safety Risks: Tampered medical data could lead to incorrect treatments, endangering patient well-being.
  5. Trust Erosion: Breaches of this nature undermine public trust in healthcare systems and services.

Exposing the Weak Links

1. Initial Access Vector: During the review of a JavaScript file, a section of data was found containing web addresses and security keys linked to the Admin API. This revealed critical security issues, including exposed keys and access tokens. One of the web addresses posed a significant risk as it allowed unauthorized access to sensitive patient details using only their lab number, highlighting a major gap in data protection practices.

BeVigil Web App Scanner detection

Exposed endpoint - getPatientReportData

     PII  of a User with Lab Number 

2. Exposed Medical Reports: Medical reports were accessible through the Live API by utilizing a combination of the patient’s lab number and last name. The lab number and last name, which could be extracted from the response of the previously exposed Admin API. This vulnerability allowed unauthorized access to detailed personal health information.

   Endpoints related to Live API found in the Javascript file 

Report Download link

The PDF reports contained critical personal information such as the patient’s full name, contact number, medical condition with a detailed report, and invoice-related details. What made this issue even more alarming was the use of sequential lab numbers. This meant that with minimal effort, unauthorized individuals could access the medical reports and personal data of potentially millions of users.

3. Access to Email Services: Furthermore, an issue was identified within the email feature that allowed messages to be sent to any email address, with the ability to customize the subject and content. This weakness could be misused by attackers to send convincing phishing emails, making it easier to trick recipients and potentially enabling further harmful actions.

Exposed Email endpoint

Response After Sending Email Successfully

Securing the Digital Frontline

CloudSEK recommends implementing the following measures to prevent such vulnerabilities:

  • Access Controls: Utilize OAuth 2.0 and enforce least-privilege policies to restrict API access.
  • API Key Rotation: Regularly update API credentials and promptly revoke compromised keys.
  • Rate Limiting: Implement request rate controls to deter abuse and brute force attacks.
  • Role-Based Access Control (RBAC): Define roles with tailored permissions to limit endpoint access.
  • API Gateway Security: Use API gateways to centralize and enforce security policies, including request validation and encryption.

Ignoring Security? A Risk You Cannot Take.

The vulnerabilities in API infrastructure serve as a important reminder of the consequences of inadequate API security. With healthcare data increasingly being digitized, ensuring robust API configurations is no longer optional—it is a fundamental responsibility.In the absence BeVigil, organizations can face an uphill battle against cyber threats. As demonstrated in this blog, a single vulnerability can snowball into a crisis, jeopardizing customer trust, operational stability, and financial health. Thus by integrating BeVigil Enterprise, businesses not only protect their assets but also position themselves as trustworthy custodians of customer data.In a world where data breaches dominate headlines, BeVigil Enterprise is the safeguard every organization needs. Don’t let vulnerabilities define your brand. Choose proactive security with BeVigil.

Author

Niharika Ray

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
CloudSEK Success Stories

4

min read

Exposed! How a Single API Flaw Put Millions of Medical Records at Risk 🚨

🚨 Hidden API Flaws Are Putting Millions at Risk! In today’s digital world, APIs power seamless connectivity, but when misconfigured, they become a hacker’s playground. A shocking discovery by CloudSEK’s BeVigil platform exposed major API vulnerabilities in a healthcare diagnostic chain, leaking sensitive personal and medical data—including names, reports, and even access to accounts! This breach isn’t just a technical flaw; it’s a ticking time bomb for identity theft, legal repercussions, and patient safety. Discover how attackers exploited unsecured endpoints and what security measures can prevent these catastrophic risks. Read on to protect your data before it’s too late! 🔥

Authors
Niharika Ray
Co-Authors
Mayank Pandey

The Silent Threat: Misconfigured APIs Exposing Sensitive Data

In today's interconnected world, APIs serve as the backbone of digital ecosystems, enabling seamless communication between services. However, the increasing reliance on APIs comes with its share of risks, especially when they are not properly secured. A recent investigation by CloudSEK’s BeVigil platform revealed critical vulnerabilities within a prominent diagnostic chain’s API infrastructure, exposing highly sensitive personal and medical data.

This blog unpacks the findings from BeVigil’s research, explores the potential consequences of such breaches, and offers actionable recommendations to mitigate risks and enhance API security.

Cracking the Code

CloudSEK’s BeVigil platform uncovered several vulnerabilities arising from a JavaScript file publicly accessible on the clients web assets. This file contained sensitive API keys, authentication tokens, and unsecured endpoints, granting unauthorized access to critical systems.

BeVigil’s Web App Scanner identified several key findings, including:

  • Exposed Personal Information: Names, addresses, mobile numbers, and medical reports were accessible without proper authentication.
  • Unprotected ABHA Accounts: Misconfigurations allowed attackers to take over accounts or create fraudulent profiles.

Compromised APIs: Flaws in both Admin and Live APIs left the client vulnerable to exploitation, risking the integrity of sensitive user data.

More Than Just a Data Breach

The vulnerabilities discovered in the clients API infrastructure go beyond technical flaws; they pose serious risks with far-reaching implications and large-scale misuse of healthcare data.

  1. Unauthorized Data Access: Sensitive personal and medical information was exposed, violating patient confidentiality and privacy.
  2. Identity Theft: Leaked data could enable fraudsters to engage in identity theft, insurance fraud, and other malicious activities.
  3. Healthcare Liability: The incident puts healthcare providers at risk of legal consequences for failing to protect sensitive health information.
  4. Patient Safety Risks: Tampered medical data could lead to incorrect treatments, endangering patient well-being.
  5. Trust Erosion: Breaches of this nature undermine public trust in healthcare systems and services.

Exposing the Weak Links

1. Initial Access Vector: During the review of a JavaScript file, a section of data was found containing web addresses and security keys linked to the Admin API. This revealed critical security issues, including exposed keys and access tokens. One of the web addresses posed a significant risk as it allowed unauthorized access to sensitive patient details using only their lab number, highlighting a major gap in data protection practices.

BeVigil Web App Scanner detection

Exposed endpoint - getPatientReportData

     PII  of a User with Lab Number 

2. Exposed Medical Reports: Medical reports were accessible through the Live API by utilizing a combination of the patient’s lab number and last name. The lab number and last name, which could be extracted from the response of the previously exposed Admin API. This vulnerability allowed unauthorized access to detailed personal health information.

   Endpoints related to Live API found in the Javascript file 

Report Download link

The PDF reports contained critical personal information such as the patient’s full name, contact number, medical condition with a detailed report, and invoice-related details. What made this issue even more alarming was the use of sequential lab numbers. This meant that with minimal effort, unauthorized individuals could access the medical reports and personal data of potentially millions of users.

3. Access to Email Services: Furthermore, an issue was identified within the email feature that allowed messages to be sent to any email address, with the ability to customize the subject and content. This weakness could be misused by attackers to send convincing phishing emails, making it easier to trick recipients and potentially enabling further harmful actions.

Exposed Email endpoint

Response After Sending Email Successfully

Securing the Digital Frontline

CloudSEK recommends implementing the following measures to prevent such vulnerabilities:

  • Access Controls: Utilize OAuth 2.0 and enforce least-privilege policies to restrict API access.
  • API Key Rotation: Regularly update API credentials and promptly revoke compromised keys.
  • Rate Limiting: Implement request rate controls to deter abuse and brute force attacks.
  • Role-Based Access Control (RBAC): Define roles with tailored permissions to limit endpoint access.
  • API Gateway Security: Use API gateways to centralize and enforce security policies, including request validation and encryption.

Ignoring Security? A Risk You Cannot Take.

The vulnerabilities in API infrastructure serve as a important reminder of the consequences of inadequate API security. With healthcare data increasingly being digitized, ensuring robust API configurations is no longer optional—it is a fundamental responsibility.In the absence BeVigil, organizations can face an uphill battle against cyber threats. As demonstrated in this blog, a single vulnerability can snowball into a crisis, jeopardizing customer trust, operational stability, and financial health. Thus by integrating BeVigil Enterprise, businesses not only protect their assets but also position themselves as trustworthy custodians of customer data.In a world where data breaches dominate headlines, BeVigil Enterprise is the safeguard every organization needs. Don’t let vulnerabilities define your brand. Choose proactive security with BeVigil.