DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Misconfigured MongoDB database exposes sleep disorder program patients’ information

Posted on January 5, 2017 by Dissent

I blacked out while driving and wrecked ….

So begins a message that was just one of more than 1,000 messages and more than 1,200 patient profiles exposed to the world because a sleep disorder clinic serving military personnel had a misconfigured MongoDB database that was indexed by Shodan.

Thankfully, the files were still intact when MacKeeper Security Research personnel discovered the leak yesterday. It would have been worse luck for the clinic if it had been attacked by the new ransomware that wipes the files and then holds if for ransom if the owner wants the data back.

Inspection of the exposed data and IP address revealed that the data were from patients seen at Militarysleep.org, which is associated with Womack Army Medical Center (WAMC) at Fort Bragg, North Carolina. MacKeeper promptly notified militarysleep.org and Wickwire Group, LLC, as many of the exposed files appeared to be theirs.

Shortly after notifications were sent, the database was secured, although it is not yet clear who secured it and whether that database was the responsibility of WAMC or the Wickwire Group. Neither entity responded to an inquiry from DataBreaches.net as to who was the responsible party, but the exposed directory filenames suggests that it may be Eckwire’s database installation.

The exposed data included personal information of military personnel, including their first and last name with middle initial, postal and email addresses, date of birth, last four digits of Social Security number, military rank, and their password to login to the portal, as this redacted patient (“user) profile demonstrates:

User profiles contained both personal information as well as military rank and active status. Courtesy of MacKeeper Security Research Center; redacted by DataBreaches.net

A second exposed database contained messages between the patients and doctor(s). In many cases, the messages were boilerplate messages that the results of the sleep study indicated no sleep apnea, and that the individual might want to sign up for the online learning program using cognitive-behavioral techniques to address insomnia. In other cases, the messages might include specific medication information or a report on how the patient was doing, such as the snippet from one message that appears at the beginning of this report.

The messages often included the patient’s military rank and full name.

The militarysleep.org site does not indicate whether it is a HIPAA-covered entity, which is one of the questions DataBreaches.net had put to the site and Wickwire.

This post will be updated if more information becomes available. Great thanks to the MacKeeper Security Research team for alerting me to this leak. You can read their post about the incident on their blog.

And if you know of an exposed database with patient records, please contact me via email (admin [at] databreaches [dot] net), Jabber (dbnet [at] swissjabber.ch) or on Twitter (@pogowasright).

 

Category: Breach IncidentsExposureHealth DataU.S.

Post navigation

← FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras
Ca: Thousands of University of Alberta students, faculty put at risk in malware security breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach
  • Oklahoma Expands its Security Breach Notification Law
  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.