An OpenEMR vulnerability could expose millions of medical records to attackers. The flaw has been patched with OpenEMR 5.0.0 Patch 6 a couple of weeks ago.
Unpatched versions could allow an attacker to steal patient records and personal data by exploiting the vulnerability in the setup.php installation script.
OpenEMR is a popular open source electronic health records and medical practice management solution used by thousands of physician offices and small healthcare facilities worldwide.
The script allows admins to install apps through web browser, but has broad impact given it could allow an attacker to copy databases without authentication.
Furthermore, cyber criminals could potentially setup new instances of OpenEMR to connect to remote MySQL instances controlled by the attacker, Help Net Security reports. OpenEMR also advised users to remove the setup.php script after installation in recent security guidance as well.