- Security researchers discover a database containing millions of PII
- The database was created by Canadian healthcare giant Care1
- It was subsequently blocked, but customers still need to be careful
A huge database containing millions of sensitive records has been found unprotected online and can be accessed by anyone who knows where to look.
The cache was recently discovered by security researcher Jeremiah Fowler, who is known for finding misconfigured repositories or archives that are not password protected.
Fowler said this time he discovered database Contains more than 4.8 million documents and weighs approximately 2.2 TB. While investigating documents found in the archives, the researcher said he found eye exams in .PDF format, along with images of patient personally identifiable information (PII), doctor comments and exam results.
react to findings
“The database also contains .csv and .xls spreadsheets that list patients and include their home address, personal health number (PHN) and details about their health status,” Fowler told us VPN Tutor.
A personal health number is a unique identifier assigned to an individual by a Canadian provincial or territorial health care system to manage access to publicly funded health care services. They are used to track medical records, process insurance claims, and verify eligibility for medical services.
Cybercriminals may abuse PHN and use it for identity theftsuch as obtaining unauthorized medical services, submitting fraudulent insurance claims, or illegally purchasing prescription drugs. They can also sell the numbers on the dark web for profit, or use the data to conduct targeted phishing or social engineering attacks.
After digging deeper, Fowler discovered that the database belonged to Care1, a Canadian company that provides artificial intelligence software solutions to support optometrists in providing better patient care. The company says its software has helped manage more than 150,000 patient visits and is used by more than 170 optometrists.
After realizing who the owner was, Fowler contacted the company, which quickly locked down the database. However, without detailed forensics, it’s impossible to know whether a malicious actor discovered the archive at any time in the past.