Massive data exposure affects over 21,000 patients in Carolina Anesthesiology database leak

A database containing sensitive medical and personal information of more than 21,000 patients was recently discovered publicly exposed online, raising significant concerns about data security practices in the healthcare sector. The breach was identified by cybersecurity researcher Jeremiah Fowler, who reported the discovery to Website Planet and subsequently to the affected organizations.

According to Fowler’s investigation, the database contained 21,344 records and spanned nearly 7 gigabytes of data. It was neither password-protected nor encrypted, leaving it accessible to anyone who encountered the database online. The data exposed included highly sensitive personally identifiable information (PII) and protected health information (PHI), such as patient names, addresses, insurance details, emergency contacts, diagnoses, medications, vital statistics, family medical histories, and physicians’ notes. Additionally, it included billing and compliance reports, which are used to ensure medical billing practices adhere to regulatory and ethical standards.

Metadata from the files indicated that the documents were generated by a medical software company’s electronic health record (EHR) system. Fowler contacted the software company, which confirmed that while they had not created or stored the data themselves, one of their customers had likely misconfigured the system. With Fowler’s help, the company identified the source and ensured the database was secured on the same day.

Fowler’s further analysis revealed references to Atrium Health within the exposed files. A folder labeled “Production/Atrium Reports” contained staff names affiliated with Atrium Health, based on publicly available information. Upon contacting Atrium Health, Fowler received confirmation that their cyber incident response team had launched an internal investigation.

Atrium Health later confirmed that the records belonged to Carolina Anesthesiology, P.A., an independent medical group providing anesthesiology services to High Point Regional Health System and Atrium Health facilities. Atrium Health emphasized that the breach originated from a misconfiguration on Carolina Anesthesiology’s side and not from its own internal systems. As a precaution, Atrium immediately suspended all data feeds to Carolina Anesthesiology and reported the incident to governing entities.

The exposed documents were identified as "Billing and Compliance Reports," which typically contain detailed patient-level data and procedural documentation used for insurance and healthcare accountability. The exposure of such data presents serious potential risks, including identity theft, insurance fraud, and targeted social engineering attacks. While there is currently no evidence that the database was accessed by malicious actors, the duration of the exposure and possible unauthorized access remain unknown pending a forensic audit.

Fowler, who operates as an ethical security researcher, reiterated that he did not download or misuse any data, taking only limited, redacted screenshots to confirm the exposure. His approach aligns with best practices for responsible disclosure, and both Atrium Health and the medical software vendor responded promptly to secure the data.