Searchers may Google your patient records

Hackers discover that search engines can help gain unauthorized access to private patient information on Internet-based files.

By Tyler Chin, AMNews staff. April 7, 2003.

Come ogle my patients' data.

Unwittingly, you may be rolling out the welcome mat so any hacker can use Google, the most popular Internet search engine, to walk into your Web-accessible system.

In March, Wired.com reported that hackers used Google as a shortcut to infiltrate computer networks that weren't properly secured. Instead of blindly surfing the Web for vulnerable computer networks, hackers can use a search engine to easily identify targets. That's because many databases use templates and canned phrases that Internet search engines pick up as they search and index the content posted on the Web.

In one particular instance, hackers typed into Google a phrase -- "select a database to view" -- that commonly appears in databases from FileMaker Inc. The search engine spat out more than 200 database listings.

While most of the databases were secure or contained mundane information, a few had sensitive information that hackers were able to access because users hadn't changed the passwords that came with the system.

For example, the hackers accessed a database containing personal and medical information of more than 5,000 neurosurgery patients at the Drexel University College of Medicine in Philadelphia by typing the name of the database product into the user ID and password fields.

The hackers did not alter or copy the medical school's database, which they accessed as part of an experiment to determine whether Google could be used as a hacking tool. Once they discovered that it could, they alerted Wired.com, which in turn contacted the medical school.