Dental marketing firm Gargle likely source of 8M leaked patient records
Cybersecurity researchers have discovered a massive database online, exposing 2.7 million patients and 8.8 million records, all of which were found to be fully accessible to the public without any password protection or other security.
According to a report from Cybernews, the database is an exposed MongoDB containing appointment records and other details on dental patients. As of writing, the owner of the database remains unconfirmed. However, clues point to it originating from Gargle, a marketing group that works with systems specializing in oral health, in an effort to bring in more clients and expand their patient base.
Gargle’s work often relies on managing patient care databases and other infrastructure, Cybernews said. In this case, it seems that may also mean patient records, assuming this lot was exposed by the marketing company.
Information online includes names, birth dates, addresses, contact information, and patient demographic information, such as gender. It also includes appointment records, including some procedure information and chart IDs from various institutions.
Cybernews said the data could be easily discovered with any scanning tool and any actor with basic cybersecurity knowledge could gain access to the full trove.
Gargle is based in Utah. The full-service marketing group often builds websites for dental practices that allow patients to log in and schedule appointments, get updates from their attending clinicians and more. As for how the database ended up publicly available online, Cybernews said it's most likely an oversight.
“MongoDB databases power thousands of modern web applications, from e-commerce platforms to healthcare portals,” the researchers wrote. “In this case, the leak likely stemmed from a common and often overlooked vulnerability where databases are left exposed without proper authentication due to human error.”
Cybernews called this type of breach a “recurring blind spot that continues to haunt companies of all sizes and across various industries.”
Security firm calls for breach to be reported
In reviewing the trove, Cybernews was explicit in saying the accumulated data is enough to build a profile on an individual that nefarious actors could use to commit identity theft, along with a “wide spectrum of abuse” related to impersonating an individual and opening up financial accounts on their behalf.
“The leaked dataset contains deeply sensitive information belonging to US-based patients: verified mobile numbers, home addresses, billing classifications, and institutional IDs. In isolation, any one of these data points might not seem as harmful. But bundled together, they form a comprehensive blueprint of a person's identity,” the firm said.
“With medical data on the table, the stakes get much darker. Threat actors can use this information to commit insurance fraud or medical identity theft. Victims are also vulnerable to well-crafted phishing and social engineering attacks,” it added.
Cybernews stopped short of affirming that this data breach is a violation of Health Insurance Portability and Accountability Act (HIPAA), and thus needs to be reported, but they did recommend the responsible party take accountability and report the incident to regulators.
They also recommend that patients who recently received dental care monitor their credit reports for any sign of suspicious activity.
“If you recently had a dental appointment and suspect your data might have been affected by the leak, stay vigilant of phishing attacks. Be especially cautious of any unsolicited emails that reference a healthcare provider or medical history,” Cybernews recommended, adding that this includes keeping a close eye on medical and insurance records for any unauthorized claims.
The full report is available here.
Gargle denies data leak occurred
HealthExec reached out to Gargle for more information and received a lengthy statement denying claims made in the report. Part of the statement from Jeff Richins, president of the marketing group is below:
On June 4, Cybernews published an article alleging that a Gargle MongoDB server exposed over 8 million dental patient records — a claim that is entirely false, misleading, and unsubstantiated.
The server in question was a small internal research and development environment, never containing more than 60,000 patient records used for testing, and was used for a limited 90-day evaluation period. It was never publicly accessible, never externally accessed, and never exposed to the internet.
Simply put: there was no data leak, and there was no risk to any patient or client data.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.