In a significant security oversight, cybersecurity expert Jeremiah Fowler recently identified a non-password-protected database belonging to Care1, a Canadian company specializing in AI software solutions for optometry. This exposed database held more than 4.8 million records, amounting to a staggering 2.2 TB of sensitive information.
"The publicly exposed database was not password-protected or encrypted. It contained over 4.8 million documents with a total size of 2.2 TB," Fowler detailed. Among the types of records found were eye examination results in PDF format, which included personally identifiable information (PII), comments from doctors, and images of exam results. Additionally, the database harbored CSV and XLS spreadsheets listing patients along with vital details such as home addresses, Personal Health Numbers (PHN), and health information.
Fowler's responsible disclosure approach was commendable, with a swift response from Care1 that highlighted the importance of immediate action in such scenarios. "I immediately sent a responsible disclosure notice, and public access was restricted the following day," he recounted. However, the timeline regarding the exposure of the database remains unclear, raising questions about possible unauthorized access.
"I immediately sent a responsible disclosure notice, and public access was restricted the following day,"
The exact duration of the exposure and whether any unauthorized parties accessed the database is still under investigation. Fowler expressed concerns, stating, "It is not known how long the database was exposed or if anyone else gained access to it," while noting that the exposed bucket had been indexed with links to files since at least July 2023.
"It is not known how long the database was exposed or if anyone else gained access to it,"
In response to Fowler's disclosure, an administrator from Care1 acknowledged the issue, stating, "Thank you for bringing this to our attention. Our team is currently working on resolving this issue." It is still unclear if the database was directly managed by Care1 or through a third-party contractor.
**Related:** [Over 600K Personal Records Exposed Due to Database Leak](/article/over-600k-personal-records-exposed-due-to-database-leak)
The incident raises critical questions about whether Care1 will issue a public disclosure or notify affected physician practices and patients regarding the data exposure. The lack of immediate communication can increase anxiety among patients about their private information.
"Hopefully Care1 or their vendor has access logs going back before July 2023," Fowler mentioned, emphasizing the need for thorough investigation through an internal forensic audit to understand the scope of the exposure.
"Hopefully Care1 or their vendor has access logs going back before July 2023,"
As the field of cybersecurity continues to evolve, incidents like these underline the persistent vulnerabilities faced by organizations managing sensitive health data. With increasing reliance on technology in patient care, the stakes are higher than ever. The consequences of data breaches affect not only companies but also the trust and safety of patients they serve.
Looking Ahead
Looking ahead, it remains to be seen how Care1 will manage the fallout from this breach and whether it will implement stronger security measures to protect patient data in the future. As the digital landscape becomes more complex, organizations must prioritize data security to prevent breaches that can lead to severe ramifications for stakeholders involved.
