It's been a while since credit card and social security numbers were enough to supply the criminal market with stolen data. In the last few years there has been a marked increase in the amount of healthcare data up for sale thanks to some major data breaches and the notoriously poor security of smaller healthcare providers.
While it may be improving, there are still plenty of unpatched systems out there. Even worse, there are some providers using applications that are largely unsupported. A recent announcement from researchers at Bishop Fox is proof of that.
An open source application called OpenClinic, used for health records management, was found to have four major 0-day vulnerabilities. The most critical vulnerability is a missing authentication check where a patient does not have to sign in to view test results. This would allow an attacker to directly access patient data with only the path to the file.
The other three bugs require authentication. A cross-site scripting vulnerability allows an attacker to "embed a malicious payload within a medical record's address field." With administrator privileges an attacker could upload malicious files to an endpoint on the server, allowing them to execute arbitrary code.
There is also a path traversal vulnerability that allows files to be stored outside of designated directories. All versions of OpenClinic are vulnerable to all four bugs. The last update to the application was in 2016.
The Bishop Fox team attempted to contact the developers for OpenClinic three times but receivedno response. After90 days (per their disclosure policy), they published their findings. OpenClinic appears to no longer be supported and the changelog suggests that releases were few and far between to begin with.
Unfortunately, a quick Google search suggests that there are few providers out there still using the software in some capacity. The exposed records are old, but exposed nonetheless. The best option for anyone still using the application is to find an alternative as soon as possible.