InfoSecBulletin Cybersecurity for mankind
Cybersecurity expert, Jeremiah Fowler discovered an unsecured database containing almost 5 million records reportedly relating to Care1 — a Canadian company offering AI software solutions.
He reported to VPN mentor that the publicly exposed database was unprotected, passwordless, and not encrypted, totaling 2.2 TB. It included records in PDF format detailing patient PII, doctors’ comments, and exam images, as well as .csv and .xls spreadsheets with patients’ home addresses, Personal Health Numbers (PHN), and health details.
Delay patching leaves about 50,000 Fortinet firewalls to zero-day attack
Daily Security Update Dated: 21.01.2025
126 Linux kernel Vulns Allow Attackers Exploit 78 Linux Sub-Systems
CERT-UA alerts about “security audit” requests through AnyDesk
Oracle Critical Pre-Release update addressed 320 flaw
OWASP Reveils Top 10 Smart Contract Vulnerabilities for 2025
Multiple Azure DevOps Vulns Allow To Inject CRLF Queries & Rebind DNS
Intel holds 22 employees from one Bangladeshi University
VPN Surge 1500% in USA after TikTok Shut Down
MITRE Launches D3FEND 1.0; The Milestone for Cybersecurity Ontology
The database and its documents indicated that the records belonged to Care1, a Canadian medical tech company that offers software and AI reporting for optometrists specializing in retina and glaucoma treatments.
In Canada, a Personal Health Number (PHN) is a unique identifier used to share a patient’s health information among healthcare providers. This lifetime identifier stays the same even if a patient’s personal circumstances change. Although the PHN alone does not directly cause financial fraud or identity theft, it can be combined with other personal details to create patient profiles.
Care1 claims its software has handled over 150,000 patient visits and partners with more than 170 optometrists. Jeremiah Fowler reported that after he sent a responsible disclosure notice, public access was restricted the next day.
The duration of the database exposure and whether others accessed it is unknown. Only an internal forensic audit can reveal any additional access or suspicious activity.
Many healthcare systems around the world now use digital records and cloud storage. A 2019 survey found that approximately 86% of Canadian family doctors used electronic medical records (EMRs).
In the United States, the FBI reported 440 cyberattacks on healthcare facilities due to ransomware in 2023 and the first half of 2024. In Canada, however, there have been only 14 major attacks since 2015 that affected patient information.
Jeremiah Fowler said, “I received a reply from an administrator immediately after my disclosure notice stating: “Thank you for bringing this to our attention. Our team is currently working on resolving this issue”.
