Data trove of 1.6M patient records discovered online
A cybersecurity researcher writing for Website Planet has discovered a database of more than 1.6 million clinical trial records, none of which were encrypted. The 2TB trove was reportedly accessible without a password.
Jeremiah Fowler of Security Discovery said the 1,674,218 files were exposed to the Internet. They contained PDF surveys with protected health information and other sensitive data, including patient names, phone numbers, email addresses, dates of birth, COVID-19 vaccination details, lists of current medications, health conditions and diagnoses, along with other notes.
“Although these were surveys and not complete medical histories, these records could still contain highly personal details, including diagnoses, treatments and prescriptions that identify medical conditions—some of which may be potentially stigmatizing, such as HIV, cancer or psychiatric disorders,” Fowler wrote.
“One concern is that leaked medical data could be obtained by big data brokers and provided to health insurance companies, which could then charge higher premiums,” he added.
Some files also contained the names of doctors, known adverse reactions to COVID vaccines, and the pregnancy and birth control status of female patients. Fowler said his limited analysis of the trove indicated there were no duplicate records; however, he could not rule out the possibility.
The surveys were apparently in the care of DM Clinical Research, a firm that manages patient data from clinical trials. It’s unclear if the company was responsible for its storage or if it was outsourced to a third party. DM Clinical Research responded to Fowler’s request for comment, saying: “Our team is currently reviewing the details of your findings to ensure a swift and comprehensive resolution. Protecting sensitive data is a cornerstone of our organization’s operations, and we are committed to addressing any vulnerabilities in alignment with best practices and applicable laws and regulations.”
Fowler said he is not placing blame on anyone for this incident and makes no claim of illegal activity. Despite involving protected health information (PHI), protection may not fall under the purview of the Health Insurance Portability and Accountability Act (HIPAA), because most of the trove is self-reported and it isn’t clear a HIPAA-covered entity collected and stored the information.
Regardless, the data poses a safety risk for patients, as it could be used for identity theft and phishing scams, in addition to the concerns Fowler raised about insurance companies abusing the information. He placed blame on cloud storage, which can be accessed from the Internet. If not encrypted and password protected, it’s possible for virtually anyone to find it.
“I would recommend that healthcare organizations take a serious look at how data is stored in cloud environments. As medical professionals are busy providing care or doing clinical research, the technology of data management is often outsourced to third-party contractors,” he wrote. “It is important that these contractors also undergo routine vulnerability and penetration testing to identify issues, such as open ports or an accidental public data exposure.”
The database has been password protected since the discovery was made, Fowler said.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.