SUMMARY
- Cybersecurity researcher Jeremiah Fowler discovered an unprotected Care1 database with over 4.8 million patient records.
- Exposed data included names, addresses, medical histories, and Personal Health Numbers (PHNs).
- Responsibility for the breach and its duration remains unclear.
- Healthcare data breaches are increasing, posing significant privacy risks.
- Stronger cybersecurity measures are essential for protecting sensitive patient information.
Cybersecurity researcher Jeremiah Fowler recently discovered a massive database belonging to Care1, a Canadian company that provides AI-powered software solutions to optometrists. The database, containing over 4.8 million records of patient information (with a total size of 2.2 TB), was left completely unprotected, exposing sensitive data like patient names, addresses, medical histories, and even their unique Personal Health Numbers (PHNs).
Care1 is a specialized healthcare technology company with over 170 partner optometrists and over 150,000 patient visits managed using their software. They specialize in eyecare disruption using artificial intelligence, leveraging advanced software engineering and extensive partnership networks.
According to Fowler’s investigation, published by vpnMentor, the exposed data included detailed eye exam reports with patient information, doctor’s notes, and images. Eye exam reports were in PDF format and included patient PII, doctor’s comments, and images.
In addition, CSV and XLS spreadsheets were also part of the exposed database and listed patients with home addresses, Personal Health Numbers (PHNs), and other health-related information, including doctor’s comments and images from the eye exams.
For your information, in the Canadian healthcare system, a Personal Health Number (PHN) is a unique identifier that ensures a patient’s health information is accessible to all providers. While the PHN itself might not directly lead to financial fraud, it can be a valuable piece of information for criminals to build a comprehensive profile of an individual.
It’s unclear whether the database was directly owned and managed by Care1 or handled by a third-party contractor. It is also unclear for how long it remained exposed or whether it was accessed by any unauthorized individual unless an internal forensic audit is conducted. According to Fowler’s blog post, he sent a responsible disclosure notice to the company and public access was restricted promptly.
With the increasing reliance on digital systems in healthcare, the potential for data breaches is also increasing. This level of exposure poses significant privacy risks for patients, as their medical information could be misused for identity theft or other malicious activities. In 2023, Fowler discovered a non-password-protected database belonging to Indian medical diagnostics firm Redcliffe Labs, containing over 12 million records, including sensitive patient data like medical scans and test results.
These incidents reflect the need for heightened security measures within the healthcare sector. Companies like Care1, which handle sensitive patient information, must prioritize stringent cybersecurity measures, including strong encryption, access controls, and regular security audits.
RELATED TOPICS
- 7TB of Healthcare Data Leak Affects 12 Million Patients
- AI Firm’s Server Exposed 5.3 TB of Mental Health Records
- How Artificial Intelligence (AI) is Impacting Modern Healthcare
- Dark Web Sales Fuel 32% Increase in Healthcare Cyberattacks
- AI in Healthcare: ChatGPT Helps Boy Get Diagnosis After Doctors Fail
