Thousands of medical records leaked online – including whether people tested positive for Covid
InHouse Physicians, an Illinois healthcare provider that offers on-site medical services and wellness programs to organizations, leaked sensitive data online through an unprotected database that was accessible to anyone who knew where to look.
A report from Website Planet and cybersecurity researcher Jeremiah Fowler recently discovered a database that was not password protected and contained 148,000 records from the healthcare company.
The archive contained people’s full names, their phone numbers, and whether or not they had permission to enter an event, or had tested positive for Covid-19 and been denied entry. The entire database was 12GB in size and was locked shortly after Fowler got in touch.
SIM swapping and identity theft
“In the publicly available PDF files, I saw information about the status of participants in a wide range of events, such as investor forums, family planning services, and other potentially sensitive sectors that could be valuable targets for cybercriminals,” Fowler explains.
While revealing “just” names and phone numbers may not seem like much, it’s more than enough for skilled cybercriminals. Fowler said he used free search engines and open source tools available to the general public and fed them the information he obtained. They provided further identifying information, helping him create an even larger profile of potential targets.
Furthermore, knowing someone’s phone number is a risk for potential SIM swapping attacks. These attacks are often used to bypass multifactor authentication and gain access to valuable accounts, such as banking, social media or business platforms.
Unsecured databases remain one of the most common and destructive causes of data breaches. For example, taxi company iCabbi exposed sensitive information on over 300,000 taxi passengers in the UK and Ireland in mid-April 2024. This database was also discovered by Fowler, who confirmed that it contained over 20,000 records and contained personally identifiable information (PII) such as names, emails and phone numbers.
