InfoSecBulletin Cybersecurity for mankind
Cybersecurity expert, Jeremiah Fowler discovered an unsecured database containing almost 5 million records reportedly relating to Care1 — a Canadian company offering AI software solutions.
He reported to VPN mentor that the publicly exposed database was unprotected, passwordless, and not encrypted, totaling 2.2 TB. It included records in PDF format detailing patient PII, doctors’ comments, and exam images, as well as .csv and .xls spreadsheets with patients’ home addresses, Personal Health Numbers (PHN), and health details.
Data breach! Ireland fines Meta $264 million, Australia $50m
Over 25K SonicWall VPN Firewalls exposed to critical flaws
AI-made nude images incident, one school, 50 female victim
Over 4 lac files ‘leaked’: Telecom Namibia hit by major cyberattack
HSBC sued by ASIC: customers allegedly scammed of $23 million
Sophos Thwarts Global Firewall Attack promptly, Protects Thousands from Data Theft
Android malware attack Indian banks: Infected 419 devices
Indian-American OpenAI whistleblower Suchir Balaji found dead in San Francisco
Canadian company exposed unprotected almost 5 million records
Daily Security Update Dated: 13.12.2024
The database and its documents indicated that the records belonged to Care1, a Canadian medical tech company that offers software and AI reporting for optometrists specializing in retina and glaucoma treatments.
In Canada, a Personal Health Number (PHN) is a unique identifier used to share a patient’s health information among healthcare providers. This lifetime identifier stays the same even if a patient’s personal circumstances change. Although the PHN alone does not directly cause financial fraud or identity theft, it can be combined with other personal details to create patient profiles.
Care1 claims its software has handled over 150,000 patient visits and partners with more than 170 optometrists. Jeremiah Fowler reported that after he sent a responsible disclosure notice, public access was restricted the next day.
The duration of the database exposure and whether others accessed it is unknown. Only an internal forensic audit can reveal any additional access or suspicious activity.
Many healthcare systems around the world now use digital records and cloud storage. A 2019 survey found that approximately 86% of Canadian family doctors used electronic medical records (EMRs).
In the United States, the FBI reported 440 cyberattacks on healthcare facilities due to ransomware in 2023 and the first half of 2024. In Canada, however, there have been only 14 major attacks since 2015 that affected patient information.
Jeremiah Fowler said, “I received a reply from an administrator immediately after my disclosure notice stating: “Thank you for bringing this to our attention. Our team is currently working on resolving this issue”.
