Dr. Ansay: Security vulnerability allowed access to 1.7 million prescriptions

Contents

The telemedicine provider Dr. Ansay has experienced a security vulnerability that potentially exposed around 1.7 million prescriptions from approximately half a million customers. The affected data primarily includes cannabis prescriptions along with health and personal information, such as names, addresses, email addresses, phone numbers, and details about the roughly 15 prescribing physicians, who are mostly not from Germany. Additionally, data related to medications, dosages, and selected pharmacies were accessible, as were orders for painkillers, for example. The company has not responded to questions about whether data has been exfiltrated.

heise online received indications that the vulnerability was based on a misconfiguration of the access rules for a Firebase Firestore database. heise online was able to confirm this. Due to the misconfiguration, logged-in users with a valid token could access not only their prescriptions but all data records. Despite multiple attempts to report the issue to the company, there was initially no response, and the data remained unprotected until early January. In the evening, after heise online submitted an inquiry to the company, the vulnerability was closed.

Bug Bounty Program

Dr. Ansay leaves central questions from heise online unanswered and attributes the discovery to the launch of a newly launched bug bounty program: “We assume that the vulnerability was found due to a bug bounty program initiated by us.” Dr. Ansay leaves whether affected individuals were notified in accordance with Art. 34 of the GDPR unanswered.

Dr. Ansay informed the security researcher who found the vulnerability that a GDPR notification to the responsible authority had been initiated. Inquiries from heise online to the data protection authorities in Malta and Hamburg, where Dr. Ansay has its German headquarters, have not yet been answered.

“The security researcher's contact was unfortunately delayed over the holidays,” said a spokesperson. Communication is now functioning, and the problem could be resolved immediately. “We thank the security researcher for their work and will continue to handle the incident internally.” Dr. Ansay does not want to “share further details at this time, as black-hat hackers could use them in the future and we want to protect our systems.”

It remains unclear since when the security vulnerability existed and since when the company was aware of it, whether and to what extent data was actually exfiltrated, how many people are specifically impacted, and whether they have already been informed. It also remains open what specific risks exist for those affected, what protective measures are planned, and why the vulnerability was not discovered through internal security checks.

Mehr Infos

Many heise investigativ investigations are only possible thanks to anonymous information from whistleblowers.

If you are aware of a wrongdoing that the public should know about, you can send us tips and material. Please use our anonymous and secure mailbox for this purpose.

Internal security and Monitoring Processes

In December, Dr. Ansay assured heise online and on Reddit that “internal security and monitoring processes are running continuously” and that there were “no indications of unauthorized access or data exfiltration.” At that time, data sets allegedly from Dr. Ansay were offered for sale in an underground forum. It is unclear where the data comes from. A mix of previously published leaks from other or similar platforms is also conceivable. The authenticity of the data has not yet been confirmed.

Data protection is of “utmost priority,” states Dr. Ansay. “The systems are continuously checked. In light of the increasing number of phishing and smishing attempts currently occurring, internal controls have been further intensified, without any findings.”

Data Breach in May 2024

Dr. Ansay already experienced a publicly known data breach in May 2024, where cannabis prescriptions were accessible via search engines. At that time, the company reported the incident to the data protection authority, spoke of a resolved vulnerability, and informed impacted individuals via email.

(mack)