- Security researcher found a database containing millions of PII
- The database was built by a Canadian healthcare giant called Care1
- It was subsequently locked down, but customers till need to take care
A huge database containing millions of sensitive records has been discovered unprotected online available to anyone who knew where to look.
The cache was recently discovered by security researcher Jeremiah Fowler, known for uncovering misconfigured databases, or non-password-protected archives.
This time around, Fowler said he found a database containing more than 4.8 million documents, and weighing roughly 2.2 terabytes. Investigating the files found in the archive, the researchers said he found eye exams in .PDF format, together with patient Personally Identifiable Information (PII), doctor’s comments, and images of the exam results.
Reacting to the findings
“The database also contained .csv and.xls spreadsheets that listed patients and included their home addresses, Personal Health Numbers (PHN), and details regarding their health,” Fowler told vpnMentor.
Personal Health Numbers are unique identifiers, assigned to individuals, by provincial or territorial healthcare systems in Canada to manage access to publicly funded healthcare services. They are used to track medical records, process insurance claims, and verify eligibility for healthcare services.
Cybercriminals could abuse PHNs by using them for identity theft, such as obtaining unauthorized medical services, filing fraudulent insurance claims, or purchasing prescription drugs illegally. They could also sell these numbers on the dark web for profit or exploit the associated data to craft targeted phishing or social engineering attacks.
Drilling deeper, Fowler found that the database belonged to Care1, a Canadian company offering AI software solutions to support optometrists in delivering enhanced patient care. The company says its software helped manage more than 150,000 patient visits, and is used by more than 170 optometrists.
After realizing who the owner was, Fowler reached out to the company, who locked the database down soon after. However, without detailed forensics, it’s impossible to know if malicious actors found the archive at any time in the past.
/cdn.vox-cdn.com/uploads/chorus_asset/file/23932739/acastro_STK070__01.jpg)
