Skip to Content
data breach leak exposed database
Security & privacy

Unprotected database exposes tens of thousands of medical records

If you think you’ve been seeing a lot of news about data leaks involving medical records, you’re right. There have been a number of high-profile cases this year alone, including a recent breach that exposed millions of people’s medical and financial records.

It involved a medical collections agency that was hacked, but a number of other incidents that aren’t deliberate attacks instead involve unprotected databases. Those are often discovered by security researchers who then alert the affected firms to get that data secured.

That brings us to another data leak, potentially involving tens of thousands of records in a database maintained by an ad agency. But this data included extremely sensitive medical information of a wide range of people, including military veterans.

A database with no password

The database in question primarily involves medical injury claim records, but it’s not part of any medical facility. This one is run by Florida-based internet advertising company X Social Media that works to help law firms find potential clients.

Here’s how sites like that work: law firms will hire ad agencies to set up websites built around very specific medical conditions or injuries. Those campaigns are advertised on places like Facebook, where people seeking legal help fill out online forms with their information, including the type of injury or illness they’re suffering from.

And this database contained 150,000 of records like that, open and unprotected with no password required. Two security researchers with vpnMentor discovered the database at the beginning of June and shared their findings with X Social Media, which took the database offline nearly a week later.

Information in the database

The discovery by vpnMentor was shared with TechCrunch, which reports the database contained information like names, addresses and phone numbers as well as sensitive medical information. For instance, TechCrunch came across records involving combat veterans who were injured, other people who suffered from pesticide or medication-related illness and even claims involving sexual abuse.

In essence, it was a lot of very sensitive data that could be easily traced back to the person who filled out the digital form on one of these websites. The report said the database also included information on the law firms that hired X Social Media, along with those firms’ financial records and banking info.

TechCrunch said they soon found another open database similar to the first, but with fewer records. X Social Media also pulled that database when notified by TechCrunch, and at first, reportedly denied that they even store medical data and that the researchers’ findings were “inaccurate.”

X Social Media reconsidered after being presented with some of those exposed files, and later issued a statement saying the database was shut down after they were notified by TechCrunch of a MongoDB database vulnerability.

They said they could find no other evidence of anyone accessing the records, aside from TechCrunch. Although those records have been secured, X Social Media didn’t say how long the data was exposed.

Data leaks and your sensitive info

If your data has been involved in any kind of leak, never just assume you’ll be contacted. While you can’t prevent hacks or accidental data exposures, you can mitigate the personal impact by being proactive with your data security.

It, unfortunately, doesn’t take much of your personal information for a criminal to be able to use it against you for fraud and identity theft. That’s why it’s a good practice to regularly check up on your financial statements, both for banking and credit cards. Look for anomalous charges or activity and contact the institution when something doesn’t look right.

Watch for phishing attacks that come in the form of calls, texts or email. At the very least, that means some of your information is out in the open so also be mindful of your other online accounts. Use different and sophisticated passwords for each online account, which we can help you do with these tips.

Read vpnMentor’s findings on this most recent data leak by tapping or clicking here.

Stop robocalls once and for all

Robocalls are not only annoying, but they scam Americans out of millions every year. Learn Kim's tricks for stopping them for good in this handy guide.

Get the eBook