In what has become a depressingly common occurrence, the personal information of hundreds of thousands of people may have fallen into the wrong hands because yet another organization did not secure a cloud-hosted database.
This time around, social media marketing house xSocialMedia has been accused of failing to set up proper protections on multiple databases tracking the activity of advertising campaigns for medical malpractice lawyers. That configuration blunder seemingly left the data silos facing the public internet for anyone to find and rifle through.
Researchers at vpnMentor, who specialize in discovering and documenting insecure cloud servers, say they were able to get into xSocialMedia's databases and view the personal information of people who had clicked on ads on Facebook for legal advice or class action claims for things like botched surgeries and defective implants.
Because of the nature of the campaigns, the biz tended to gather particularly sensitive information from netizens clicking through the promotions. The database of collected information, containing some 150,000 records, included things like names, addresses, phone numbers, and partial medical history.
"The ads that xSocialMedia post on Facebook lead users to a variety of 'injury-check.com' domains, depending on their specific ailments. Examples include ied-fund.injury-check.com and ivcfilter-risk.injury-check.com," staff at vpnMentor explained.
"xSocialMedia lists 10 different kinds of injury lawyers that they work with. Once Facebook users have entered one of the injury-check.com domains, they are encouraged to fill out a form with their medical data to see if they qualify for legal assistance."
It only gets worse from there. On another database, the vpnMentor crew say they also found copies of the testimony some plaintiffs had given as part of their medical malpractice suits. That testimony would in some cases include personal and private medical information, or in some cases a recounting of traumatic incidents.
Crucially, we're told:
The injuries described in the database vary from combat injuries suffered by American veterans to injuries caused by medical devices, pesticide use, medication side-effects, and defective baby products.
The security blunder may also be a serious breach of US medical privacy laws.
"This data breach has far-reaching consequences, especially because of the sensitive health data included in xSocialMedia’s database. Medical records are heavily protected in the US by HIPAA laws," vpnMentor staff noted in their summary.
"Practitioners and other healthcare providers cannot release any identifying information about their patients without written permission."
xSocialMedia has yet to return a request for comment on the report. The vpnMentor team says it discovered the database on June 2, reported it on June 5, and by June 11 the offending server was locked down. ®