Thousands of medical records leaked online — including whether people tested Covid positive

A healthcare organization kept an unprotected database sitting online

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

InHouse Physicians, an Illinois-based healthcare provider that offers on-site medical services and wellness programs to organizations, was leakingsensitive data onlinevia an unprotected database that was available to anyone who knew where to look.

A report fromWebsite Planetand cybersecurity researcher Jeremiah Fowler recently found a non-password-protected database containing 148,000 records belonging to the healthcare company.

The archive contained people’s full names, their phone numbers, and whether or not they were cleared to enter an event, or tested positive for Covid-19 and denied entry. The entire database was 12GB heavy, and was locked down soon after Fowler reached out.

SIM-swapping and identity theft

“In the publicly exposed PDF files, I saw information indicating statuses of attendees for a wide range of events such as investor forums, family planning services, and other potentially sensitive sectors that could be high-value targets for cyber criminals,” Fowler explained.

While exposing “just” names and phone numbers might not sound like much, it’s more than enough for skilled cybercriminals. Fowler said he used free search engine and open source tools available to the general public and fed them the obtained information. They returned further identification details, helping him create an even bigger profile of potential targets.

Furthermore, knowing a person’s phone number opens them up for potential SIM-swapping attacks, which are often used to bypass multi-factor authentication and access high-value accounts such as banking, social media, or business platforms.

Unsecured databases remain one of the most common and most destructive causes of data leaks. For example, in mid-April 2024,taxi firm iCabbi exposed sensitive information on more than 300,000 taxi passengersin the UK and Ireland. This database was also discovered by Fowler, who confirmed it contained more than 20,000 records, and included Personally Identifiable Information (PII) such as names, emails, and phone numbers.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Another reason to avoid edge-lit 4K TVs: they may fail faster than others, according to this report