A non-password-protected and unencrypted database containing 2 terabytes of data leaked onto the internet, exposing more than 1.6 million clinical trial research records.
According to Jeremiah Fowler, a researcher at Security Discovery who discovered the lapse, the exposed records include sensitive personal and medical information of patients.
The database, for example, contained patient surveys in a PDF format and included people’s names, dates of birth, email addresses, phone numbers, vaccination records, and data about currently used medications.
The data belongs to Houston-based DM Clinical Research, a multi-therapeutic network of clinical trial sites. Fowler said in his report that it wasn’t clear whether the organization directly managed and owned the database or used a third-party contractor.
“This information could potentially be considered private medical data and, therefore, be protected under privacy laws,” he said.
“Any public exposure of health-related information could have potentially serious implications. While things like financial data and some PII can change over time, personal health histories do not.”
One concern, for instance, is that leaked medical data could be obtained by big data brokers and provided to health insurance companies, which could then charge higher premiums. The industry uses electronic health records to determine risk factors and coverage costs.
The researcher said he immediately sent a responsible disclosure notice to DM Clinical Research after discovering the lapse. The database was restricted from public access within hours.
However, it isn’t known how long the database was exposed and whether anyone else besides Fowler could have gained access to it. According to the researcher, “only an internal forensic audit” could identify potentially suspicious activity.
When the personal records of more than 400,000 people who have worked with American Addictions Centers, a for-profit addiction treatment chain, were exposed late last year, it soon surfaced that the company had suffered a cyberattack.
Attackers target healthcare organizations for two primary reasons: they’re often poorly protected, and the data they keep is extremely valuable. For example, attackers can utilize leaked details for health identity fraud, enabling malicious actors to obtain prescription medication.
Your email address will not be published. Required fields are markedmarked