Browser extensions, also known as add-ons or plug-ins, are commonly used by web surfers to do things ranging from blocking ads to remembering passwords to checking grammar.
According to an independent security researcher, some extensions have been leaking and exposing browsing activity data including patient names and health information from healthcare software companies.
At least eight browser extensions have been collecting browsing activity data, including personally identifiable information and corporate information from unwitting Chrome and Firefox users over a seven-month period, according to Sam Jadali, an independent security researcher who documented the privacy issue in a recent report called "DataSpii: The catastrophic data leak via browser extensions."
This browsing activity data were then sent to a database and published by an online market intelligence service, the report said.
The researchers reported their findings to browser makers, and Google remotely deactivated seven extensions while Mozilla did the same to two others, according to the report.
Over 4 million users had these extensions, according to Jadali, and the report documents at least 50 companies impacted by what the report calls DataSpii. The name refers to the browser extensions spying on users.
Jadali's investigation found that DataSpii impacted tech giants including Apple, Facebook, Microsoft and Amazon as well as cybersecurity companies including Symantec, FireEye, Trend Micro and Palo Alto Networks, according to the report.
Several health IT companies and healthcare organizations also were affected, the report said, including Athenahealth, Epic, Kareo and DrChrono. Direct-to-consumer genetic testing company 23andMe was impacted as well as Kaiser Permanente, the report said.
The problem, according to the report, is that many extensions collected the URLs, webpage titles and sometimes the embedded hyperlinks of every page that the browser user visited. Some of these published links led to pages that are not protected by passwords, and the published links could allow viewers to access the content at these pages.
According to the report, millions of browsing histories were exposed, including confidential corporate memos, users’ tax returns, GPS locations, travel itineraries, credit card details or possibly any URL a user may have opened with their browser
Security researchers were able to find patient names, doctors and medications sourced from browsing information from healthcare software companies' sites browsed on private networks, the report said.
In a statement, Epic spokeswoman Meghan Roh said the company was recently informed by an independent security researcher that certain publicly available browser extensions collect and sell users’ browsing information, including the URLs and page titles of sites browsed on private networks.
"We took steps to investigate the implicated browser extensions and mitigate potential risks posed by the extensions. Our investigation did not find evidence that the browser extensions collected or disclosed protected health information. We also informed our customers about the potential risks of the extensions and shared approaches to block the extensions," Roh said.
Amanda Melander, executive director for Athenahealth, said the company was contacted by security researchers indicating the use of unapproved browser extensions within its environment.
The company immediately investigated and remediated identified issues, the spokesperson said.
"We have no indication that any client or patient data was exposed, and put safeguards in place to prohibit the use of these browser extensions in the future. Athenahealth employs daily, well-defined and practiced processes as part of our dedication to keep our network and 160,000 customers’ data safe," the company spokesperson said.
Jadali runs a website hosting business and earlier this year found some of his clients’ data for sale online, according to The Washington Post. Jadali found the data on a website called Nacho Analytics, a marketing intelligence service.
On its website, Nacho Analytics says it offers "unlimited access to any websites analytics data."
The company says the data come from people who have "opted-in to anonymously share their web browsing history." Personally identifiable information is removed from the data before a third-party company sources the information to the company, Nacho Analytics said.
"We take that data and load it into a Google Analytics account for you," the company said on its FAQ page.
Researchers said they spoke with many impacted individuals and major corporations who said they did not consent to such collection, according to the report.
"We understand that an individual exploited our tool specifically to seek out security flaws in less-secure websites," the company said in a statement on its website. "Nacho Analytics was created to gather marketing-focused insights, so the websites that this user viewed were unusual for any business case. No legitimate Nacho Analytics customer accessed these websites or their analytics data.
"We have a system in place to exclude websites with serious security issues. We are actively looking into additional information regarding this matter," the company said.
The market intelligence company said the security researcher's investigation "was not a hack."
"No private information was disclosed. No customer information (names, credit card, email, etc.) was seen or accessed," the company said.
In an abundance of caution, the company is halting all access to any potentially sensitive data, Nacho Analytics said.
David Holtzman, executive adviser at cybersecurity firm CynergisTek, said the data leak is another example of the "patchwork approach" to the protections around consumers' sensitive, personally identifiable information.
This patchwork approach "leaves many, many loopholes where corruptive technologies can pierce what many would consider data that should remain private," Holtzman said.