Unprotected Database at Canadian Eyecare & Healthtech Company Exposes 4.8 Million of Medical Records

Earlier this month, a publicly exposed database belonging to Care1, a Canadian medical technology company, was discovered without password protection or encryption. The database contained over 4.8 million documents with a combined size of 2.2 terabytes, exposing sensitive patient data.

What Was Exposed?

According to Jeremiah Fowler, the cybersecurity researcher who discovered the data, the database included:

• PDFs of Eye Exams: With patient names, Personal Health Numbers (PHN), doctors' comments, and examination images
• Spreadsheets (.csv and .xls): Listing patient details such as home addresses, PHNs, and health-related information

A limited sampling of the exposed documents revealed the gravity of the breach, as these files contained sensitive Personal Identifiable Information (PII) and confidential medical data.

Upon discovery, Fowler sent a responsible disclosure notice, and public access was restricted the following day. However, it remains unclear if any digital miscreants accessed the database or engaged in suspicious activity.

The incident highlights the broader implications of healthcare data breaches, with medical data often regarded as very valuable on dark web marketplaces as it can be used to commit medical identity theft and other crimes.

“While the PHN itself may not directly lead to financial fraud or identity theft, it could potentially be combined with other personal information to create an identity profile on patients,” Fowler said. “Unauthorized access to an individual’s private medical history or the misuse of services under someone else's name or PHN are outstanding concerns in the medical industry.”

We recommend patients immediately report any misuse of health information to the authorities to prevent loss of access to certain medical services or financial damage.

Want to find out whether your personal, financial or health data has been part of a data breach? Use Bitdefender’s Digital Identity Protection for:

- Instant Alerts: You can immediately react to data breaches and privacy threats and take swift action to prevent damage, such as changing passwords, via one-click action items.

- Real-time monitoring: The service continuously scans the internet and dark web for your personal information. You will receive alerts whenever your data is involved in a breach or leak.

- Peace of mind: This service immediately flags suspicious activity and actively monitors personal information for peace of mind.

- A 360° view of all your personal data: See your digital footprint, including traces from services you no longer use but that still have your data, and even send requests for data removal from service providers.