InfoSecBulletin Cybersecurity for mankind
Cybersecurity expert, Jeremiah Fowler discovered an unsecured database containing almost 5 million records reportedly relating to Care1 — a Canadian company offering AI software solutions.
He reported to VPN mentor that the publicly exposed database was unprotected, passwordless, and not encrypted, totaling 2.2 TB. It included records in PDF format detailing patient PII, doctors’ comments, and exam images, as well as .csv and .xls spreadsheets with patients’ home addresses, Personal Health Numbers (PHN), and health details.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
The database and its documents indicated that the records belonged to Care1, a Canadian medical tech company that offers software and AI reporting for optometrists specializing in retina and glaucoma treatments.
In Canada, a Personal Health Number (PHN) is a unique identifier used to share a patient’s health information among healthcare providers. This lifetime identifier stays the same even if a patient’s personal circumstances change. Although the PHN alone does not directly cause financial fraud or identity theft, it can be combined with other personal details to create patient profiles.
Care1 claims its software has handled over 150,000 patient visits and partners with more than 170 optometrists. Jeremiah Fowler reported that after he sent a responsible disclosure notice, public access was restricted the next day.
The duration of the database exposure and whether others accessed it is unknown. Only an internal forensic audit can reveal any additional access or suspicious activity.
Many healthcare systems around the world now use digital records and cloud storage. A 2019 survey found that approximately 86% of Canadian family doctors used electronic medical records (EMRs).
In the United States, the FBI reported 440 cyberattacks on healthcare facilities due to ransomware in 2023 and the first half of 2024. In Canada, however, there have been only 14 major attacks since 2015 that affected patient information.
Jeremiah Fowler said, “I received a reply from an administrator immediately after my disclosure notice stating: “Thank you for bringing this to our attention. Our team is currently working on resolving this issue”.
