An unsecured and publicly accessible MongoDB database owned and managed by Florida-based ad agency xSocialMedia was found containing almost 150,000 medical records that included details of harms and injuries suffered by thousands of military veterans and other citizens.
According to security researchers Noam Rotem and Ran Locar at vpnMentor, multiple unsecured databases managed by xSocialMedia were found containing nearly 150,000 medical records that included "deeply personal medical testimonies, identifying information, and contact information for users".
The researchers found vast troves of information in the databases such as first and last names, email addresses, physical addresses, phone numbers, IP addresses, circumstances of injuries and explanations about the injuries. xSocialMedia runs ad campaigns on Facebook for over two hundred law firms in the US who help people with filing medical malpractice lawsuits.
"The injuries described in the database vary from combat injuries suffered by American veterans to injuries caused by medical devices, pesticide use, medication side-effects, and defective baby products," said vpnMentor, adding that the details included deeply private symptoms suffered by patients as a result of their surgeries and could ruin their professional reputation if exposed to their employers.
xSocialMedia database contained deeply personal medical details of thousands of patients
Imformation available in the unsecured databases were of people who had clicked on ads posted on Facebook by xSocialMedia to submit their forms and also included details of about 300 different law firms who collected data from xSocialMedia to build medical malpractice lawsuits. The databases also included details about how much each law firm paid xSocial Media for generating leads for them via Facebook.
"This data breach has far-reaching consequences, especially because of the sensitive health data included in xSocialMedia’s database. Medical records are heavily protected in the US by HIPAA laws. Practitioners and other healthcare providers cannot release any identifying information about their patients without written permission," vpmMentor noted.
After investigating the unsecured databases, the researchers informed xSocial Media about the data exposure and also informed Tech Crunch about their findings. xSocialMedia shut down the unsecured databases immediately and has informed Federal agencies about the exposure.
"After being notified by TechCrunch about a security problems in MongoDB the X SocialMedia developer team immediately shut down the vulnerability create [sic] by a MongoDB database and did a night long log file review and we only found the two IP addresses, associated with TechCrunch accessing our database.
"Our log files show that nobody else accesses the database while in transit. We will continue to investigating this incident and work closely with state and Federal agencies as more information becomes available," the ad agency said.
vpmMentor researchers uncovered Tech Data breach as well
Earlier this month, security researchers Noam Rotem and Ran Locar also discovered an unprotected server owned by Fortune 500 company Tech Data Corporation that contained vast amounts of personal and financial data belonging to customers as well as some passwords and private keys.
The said server was used by Tech Data to store a database that logged internal company events for its StreamOne cloud service. According to the researchers, lack of password-protection allowed them to access up to 264GB of client servers, invoices, SAP integrations, plain-text passwords, and other information.
After gaining access to the unprotected server, the researchers observed that it leaked vast quantities of personal and financial data that included personally identifying information of customers such as names, email addresses, job titles, postal addresses, telephone numbers, and fax numbers.
Other data observed in the database included private API keys, bank information, payment details, usernames, unencrypted plain-text passwords, and machine and process information of clients’ internal systems that could prove invaluable for hackers.