Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about a non-password-protected database that contained over 1.6 million records belonging to DM Clinical Research — a Texas-based network of clinical trial sites that partners with pharmaceutical companies and medical organizations to conduct research studies and surveys.
The publicly exposed database was not password-protected or encrypted. It contained 1,674,218 records with a total size of 2 TB. The documents inside the database were surveyed in PDF format and included the individuals’ names in the file name. In a limited sampling of the exposed documents, I saw a trove of potentially sensitive personal and medical information, such as names, dates of birth, phone numbers, email addresses, vaccination statuses (including specific vaccines received), current medications, and other health conditions that the survey recipients may have.
Some surveys also contained notes that included adverse reactions to COVID-19 vaccines, other health problems, doctor’s name, whether the individual was on birth control or pregnant, and the name of the person conducting the survey. This information could potentially be considered private medical data and, therefore, be protected under privacy laws. Any public exposure of health-related information could have potentially serious implications. While things like financial data and some PII can change over time, personal health histories do not.
The name of the database and the records inside it indicated that they belonged to DM Clinical Research, a Houston-based network of clinical trial investigator sites. The company connects patients with physicians to conduct studies for new or alternative medicines, providing clinical trials as a treatment option to patients. I immediately sent a responsible disclosure notice to DM Clinical Research, and the database was restricted from public access and no longer accessible within hours of my notification.
The following day I received a reply to my responsible disclosure notice stating: “Our team is currently reviewing the details of your findings to ensure a swift and comprehensive resolution. Protecting sensitive data is a cornerstone of our organization’s operations, and we are committed to addressing any vulnerabilities in alignment with best practices and applicable laws & regulations”. Although the records belonged to DM Clinical Research, it is not known if the database was owned and managed directly by them or by a third-party contractor. It is also not known how long the database was exposed before I discovered it or if anyone else gained access to it. Only an internal forensic audit could identify additional access or potentially suspicious activity.
According to the About Us page of DM Clinical Research’s website, the company was founded 20 years ago. It originally had an emphasis on vaccines and internal medicine, though it has since broadened its therapeutic areas to include pediatrics, GI, psychiatry, neurology, women’s health, and more. The network has multiple locations in Texas, including Houston, Tomball, Irving, and San Antonio. It also has locations in 9 other states: Arizona, Illinois, Massachusetts, Michigan, New Jersey, New Mexico, New York, Pennsylvania, and Washington state.
This screenshot shows how the PII of survey participants was recorded in the PDF documents. The heading includes a notice stating that some questions are related to past and current medical history. It also discloses that some questions could lead to other sensitive responses, including topics such as mental health and sexual history.
This screenshot shows how the files appeared in the database. The files’ names included the first and last names of the individuals, an internal ID number, and the nature of the survey.
This screenshot shows a list of medications the individual is taking, how often, and for how long they have taken these medications. The responses also include the medical condition being treated with each specific medication.
This screenshot comes from a survey that identifies the name and PII of an individual who indicated they are HIV positive. The survey also discloses that the individual is taking an antiviral medication and the date when they started taking it. ❮❯
×
Although these were surveys and not complete medical histories, these records could still contain highly personal details, including diagnoses, treatments, and prescriptions that identify medical conditions (some of which may be potentially stigmatizing, such as HIV, cancer, or psychiatric disorders). One concern is that leaked medical data could be obtained by big data brokers and provided to health insurance companies, which could then charge higher premiums. The health insurance industry already uses a range of lifestyle data and known electronic health records to determine risk factors and coverage costs. Hypothetically, if an individual has an untreated health condition (such as addiction or mental health issues) and further to leaked medical data, shares this information in response to a phishing attempt disguised as a clinical survey, it could inadvertently expose private health information that the person has not shared with medical professionals, family, or close friends.
Cybersecurity and data protection are critical in healthcare because protected health information (PHI) is highly sensitive and financially valuable, making it a prime target for cybercriminals. According to a recent report by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), between January 1, 2018, and September 30, 2023, OCR documented a staggering 239% rise in data breaches linked to hacking. Over this same timeframe, ransomware attacks surged by 278%.
A data breach involving PHI can have serious potential consequences for both individuals and companies in the healthcare industry. For instance individuals could potentially be targeted for phishing or extortion attempts, while companies could face medical privacy issues. This is why organizations that collect, store, and manage PHI must do everything possible to secure and protect their data and internal infrastructure from a wide range of cyber threats, vulnerabilities, and risk factors.
I would recommend that healthcare organizations take a serious look at how data is stored in cloud environments. As medical professionals are busy providing care or doing clinical research, the technology of data management is often outsourced to third-party contractors. It is important that these contractors also undergo routine vulnerability and penetration testing to identify issues, such as open ports or an accidental public data exposure. In this case, it is not known if the data management and storage was managed by DM Clinical Research or another entity.
Although no system can guarantee 100% security, there are proactive steps healthcare organizations can take to protect PHI and sensitive health information stored in cloud environments. Encrypting documents is always a good first step. For instance, PDF files support built-in encryption standards, allowing administrators to password-protect documents and control access permissions with very little effort — no daunting technology or development requirements needed to secure the documents.
Organizations should also establish a zero trust architecture. This would require users and devices to be authenticated with multi-factor authentication (MFA) before accessing sensitive data. Cloud storage systems can also be configured to grant minimum necessary permissions on an as-needed basis and include an expiration date. This can greatly reduce unauthorized access and allow organizations to know exactly who is accessing their data, why, and for how long those permissions are granted.
I also recommend organizations use real-time threat and intrusion detection tools. This can be vital to quickly identify and respond to potential breaches or unauthorized access. When it comes to data exposure, remediation, and recovery, every second counts.
Most U.S. states have some type of data breach notification laws requiring organizations to inform affected individuals and relevant authorities after a breach involving personal information, including sensitive health data or protected health information (PHI). Under Texas law, businesses and organizations must notify the Office of the Texas Attorney General if a system security breach impacts 250 or more Texans. The notification should occur as soon as reasonably possible and no later than 30 days after the breach is discovered. It is not known if the authorities or potentially affected individuals have been notified. Data incidents involving PHI could potentially raise concerns regarding HIPAA’s privacy and security requirements, which aim to protect individuals’ health data and ensure confidentiality.
I make no accusations of wrongdoing against DM Clinical Research, or any of their contractors or affiliates. I do not imply nor assert that internal or survey participant data was ever at immediate risk. The hypothetical scenarios outlined in this report are purely educational and do not suggest any actual compromise of data integrity. They should not be interpreted as a representation of the specific practices, systems, or security protocols of any organization. As an ethical security researcher, I do not download any data that I discover. My actions are limited to capturing a small number of screenshots for the sole purpose of verification. I refrain from engaging in any activities beyond identifying the vulnerability and notifying the appropriate parties. I disclaim any liability for actions taken based on this disclosure. The findings I publish are intended to raise awareness about data security and privacy issues, especially in instances where it serves the public good. My objective is to encourage organizations to take proactive measures to protect sensitive information from unauthorized access.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
