A serious security vulnerability has exposed highly sensitive information of more than 8,000 patients and employees of Paz Mental, a company dedicated to the care and rehabilitation of elderly adults operating in various states of Mexico.
The exposure, reported by cybersecurity researcher JayeLTee since December 2024, remains unaddressed, leaving 67 GB of clinical records, personal and financial data at risk of potential cybercriminals. After weeks of failed attempts to contact the company and alert them about the issue—mainly because it involves publicly accessible data—JayeLTee notified Publimetro Mexico, which verified the information exposure to confirm the seriousness of the incident.
The exposed information includes clinical and personal data of thousands of individuals, including: - Complete medical histories. - Personal data of patients. - Records of medical decisions. - Information on foreign patients. - Information on associated companies. - Photographs of medical incidents. - Financial records. - Scanned IDs. - Data of doctors and nurses. - Employment information of staff. - Photographs of staff. - Patient follow-up reports. - Partial banking information.
"A real danger: Risk of fraud, extortion, and identity theft. Access to this amount of sensitive information poses a latent threat. I cannot keep waiting, this information is at risk and needs to be protected before it's too late," JayeLTee stated in a message to Publimetro Mexico.
The researcher suspects that the data exposure could be related to the digital platforms used by Paz Mental. Among the findings are references to the applications Asistia Nurse and Ana Care, available on the Play Store. Moreover, failure to comply with regulations such as the General Law on Personal Data Protection and NOM-024-SSA3-2012 could result in legal and economic penalties, explained Victor Ruiz, certified cybersecurity instructor and founder of SILIKN.
Victor Ruiz warned that reputational damage and loss of trust in healthcare services are also concerning consequences: "Even though these vulnerabilities have been reported in some cases, the lack of corrective actions exposes patients and professionals to high risk."
Since December 2024, JayeLTee has unsuccessfully attempted to report the vulnerability to various entities, including official emails from Paz Mental, cybersecurity firms, and government authorities. However, the complaints have been ignored, and there has been no satisfactory response. Cybersecurity experts have raised alarms about the risk that such leaks could be exploited by criminal groups to commit crimes such as extortion and identity theft. The lack of protection in servers could lead to medical data theft, fraud, and jeopardize medical care, suggesting a possible leak due to poor database management.
