Over 8M records with US patient medical data have been spilled online

The records of 2.7 million patients and 8.8 million appointments have been left publicly accessible online.

Cybernews researchers have uncovered a massive data leak affecting US citizens’ medical data. Roughly 2.7 million patient profiles and 8.8 million appointment records were left wide open to anyone who knew where to look.

The data owner hasn’t been officially confirmed, but clues buried in the database point toward Gargle. The leak was caused by an unsecured MongoDB database, that the company used.

The company offers marketing, SEO, and web development services specifically for dental practices. While not a healthcare provider itself, Gargle’s business model relies on handling patient-facing infrastructure, and in this case, possibly patient data.

It’s still unclear how long the database was exposed or who might’ve accessed it before it was locked down. After Cybernews informed the company about the leak, the dataset was secured. A comment by the company has yet to be received.

What data was leaked?

• Names
• Dates of birth
• Emails
• Addresses
• Phone numbers
• Gender
• Chart IDs
• Language preferences
• Billing details
• Appointment records with patient metadata, timestamps, and institutional references

How did the leak happen?

MongoDB databases power thousands of modern web applications, from e-commerce platforms to healthcare portals. In this case, the leak likely stemmed from a common and often overlooked vulnerability where databases are left exposed without proper authentication due to human error.

As research by Cybernews has shown, it’s a recurring blind spot that continues to haunt companies of all sizes and across various industries.

On its website, Gargle highlights its role in designing SEO-optimized websites that boost user conversion by encouraging them to book an appointment.

The company also offers integrations for real-time scheduling, patient communication, payment processing, and online form submissions. All the services are critical touchpoints that, if not securely configured, can become entry points for attackers.

It is likely that the exposed medical data may have leaked from internal infrastructure tied to these third-party services.

How can leaked medical data be exploited?

The leaked dataset contains deeply sensitive information belonging to US-based patients: verified mobile numbers, home addresses, billing classifications, and institutional IDs. In isolation, any one of these data points might not seem as harmful. But bundled together, they form a comprehensive blueprint of a person's identity.

This kind of data opens the door to a wide spectrum of abuse. Identity theft is the low-hanging fruit, with attackers able to impersonate victims for financial gain.

With medical data on the table, the stakes get much darker. Threat actors can use this information to commit insurance fraud or medical identity theft. Victims are also vulnerable to well-crafted phishing and social engineering attacks.

A leak of this magnitude raises serious questions about noncompliance with the Health Insurance Portability and Accountability Act (HIPAA). According to the regulations, companies that deal with patient data are legally obligated to lock it down with strict safeguards.

What are the next steps?

• The company should notify affected individuals and publicly disclose the incident in compliance with HIPAA.
• If you recently had a dental appointment and suspect your data might have been affected by the leak, stay vigilant of phishing attacks. Be especially cautious of any unsolicited emails that reference a healthcare provider or medical history.
• Keep a close eye on your medical and insurance records for signs of unauthorized claims or activity.
• Consider enrolling in identity theft monitoring services.

Disclosure timeline

Discovery: March 26th, 2025
Initial disclosure: March 26th, 2025
Closed: March 26th, 2025