Cyber Incident Victim: SkyMed International
Date:
Mar 2019
Location:
United States of America
Summary
A cybersecurity researcher discovered an unsecured Elasticsearch database containing sensitive information belonging to a medical evacuation membership service provider. The exposed records included personal details such as names, birthdates, contact information, and medical notes for approximately 137,000 members, stored in plain text without access controls. The database showed evidence of ransomware activity, suggesting potential unauthorized access prior to discovery. Despite multiple notifications sent to the organization, no response was received regarding remediation efforts or compliance with breach notification regulations. The duration of exposure and whether affected individuals or authorities were informed remains unclear.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 27, 2019, an unsecured Elasticsearch database containing SkyMed member records was discovered during a security investigation. The database, configured to allow public access without administrative credentials, exposed 136,995 customer accounts belonging to the Florida-based medical evacuation membership service. Initial analysis revealed detailed member files containing personally identifiable information including full names, dates of birth, phone numbers, physical addresses, and email addresses, all stored in plain text. Some records included medical information or notes about members. The discoverer identified multiple references within the data indicating affiliation with SkyMed, which had operated emergency medical evacuation services since 1989. A first notification about the exposure was sent to SkyMed on the discovery date. Subsequent verification on April 5 confirmed the database had been secured and was no longer publicly accessible. Evidence of ransomware activity was observed within the exposed environment, suggesting potential unauthorized access beyond the configuration vulnerability. The duration of public exposure and scope of unauthorized access remained undetermined at the time of reporting.
The incident exposed sensitive health-adjacent data from a service designed to evacuate travelers during medical emergencies, creating potential risks for identity theft and medical privacy violations. SkyMed did not acknowledge or respond to multiple contact attempts regarding the breach, leaving notification compliance with HIPAA and Florida breach laws unverified. The database's open configuration allowed unrestricted editing, downloading, or deletion of records by any internet user prior to its closure. No information about containment procedures beyond the access termination was disclosed, and no public statements from SkyMed appeared in the reporting timeline. The ransomware evidence indicated possible malicious actor presence, though no connection between this activity and data exfiltration was confirmed.