Cyber Incident Victim: Adit
Date:
Jul 2020
Location:
United States of America
Summary
An unsecured database belonging to Adit, a medical appointment software company, exposed sensitive patient information including names, email addresses, phone numbers, and treatment details due to misconfigured security settings. The unprotected data remained publicly accessible for approximately 10 days before being deleted by an automated "meow bot" that overwrote the database without ransom demands. While the bot's destruction of data prevented further exposure, security experts cautioned that malicious actors could have accessed the information during the vulnerability window, creating risks of identity theft, medical record tampering, or extortion targeting patients. The incident was attributed to potential errors during database migration or firewall deactivation, highlighting broader concerns about configuration management in cloud environments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 13, 2020, independent security researcher Volodymyr Diachenko discovered an unsecured Elasticsearch database containing records on 3.1 million patients exposed publicly on the internet without password protection or authentication requirements. The database belonged to Adit, a Houston-based medical appointment and patient management software company, and contained patient names, email addresses, phone numbers, and the names of medical practices where patients received treatment. Diachenko immediately notified Adit of the exposure but received no response from the company. The database had been indexed by search engine BinaryEdge on July 12, increasing its visibility to potential attackers. Ten days after initial exposure, on July 22, 2020, all data in the database was destroyed by an automated entity known as a "meow bot," which overwrote database indexes with the word "meow" repeatedly until the contents were irrecoverable. Researchers observed this bot had targeted hundreds of unsecured databases in preceding weeks, deleting data without demanding ransom, leading to speculation about its potential benevolent intent to protect exposed information.
The exposure duration created significant risk for patients, with experts warning that identity theft, financial fraud, medical record tampering, and extortion attempts were potential consequences. Forensic analysis would be required to determine whether malicious actors accessed the data prior to its deletion, though Adit provided no public confirmation of such investigations. Security analysts attributed the exposure to common misconfiguration errors during database migration or disabled firewall settings, noting similar incidents at Inmediata Health Group and UW Medicine in 2019. Adit never publicly acknowledged the breach or responded to multiple inquiries from Diachenko and Information Security Media Group. Industry experts emphasized that misconfigured cloud databases represent an escalating threat as organizations migrate infrastructure, citing insufficient change control procedures, lack of automated security configurations, and inadequate third-party vulnerability scanning as contributing factors. The incident highlighted operational failures in Adit's security lifecycle management, including absence of encryption for data at rest and in transit, weak access controls, and insufficient incident response protocols.