Top healthcare company makes data about millions of patients public. Find out if this bothers you
- Security researcher found a database with millions of PII
- The database was built by a Canadian healthcare giant called Care1
- It was subsequently shut down, but customers should beware
A massive database containing millions of sensitive data has been discovered unprotected online and available to anyone who knew where to look.
The cache was recently discovered by security researcher Jeremiah Fowler, known for uncovering misconfigured databases or non-password protected archives.
This time, Fowler said he found a database containing more than 4.8 million documents and weighing about 2.2 terabytes. While examining the files in the archive, investigators said he found eye exams in .PDF format, along with patient personally identifiable information (PII), doctor comments and images of the exam results.
Respond to the findings
“The database also contained .csv and .xls spreadsheets with a list of patients and their home addresses, personal health numbers (PHN) and details about their health,” Fowler said. vpnMentor.
Personal health numbers are unique identifiers assigned to individuals by provincial or territorial health care systems in Canada to manage access to publicly funded health care services. They are used to maintain medical records, process insurance claims, and verify eligibility for health care services.
Cybercriminals can abuse PHNs by using them for identity theft, such as obtaining unauthorized medical services, filing fraudulent insurance claims, or illegally purchasing prescription drugs. They could also sell these numbers for profit on the dark web or exploit the associated data to conduct targeted phishing or social engineering attacks.
Fowler dug deeper and discovered that the database was owned by Care1, a Canadian company that offers AI software solutions to support optometrists in delivering improved patient care. The company says the software has helped manage more than 150,000 patient visits and is used by more than 170 optometrists.
After realizing who owned it, Fowler contacted the company, which closed the database shortly afterwards. However, without detailed forensic investigation, it is impossible to know whether malicious actors ever found the archive in the past.