DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

MedCall Advisors suffers second data leak in less than one month

Posted on October 8, 2018 by Dissent

A few weeks ago, DataBreaches.net reported on a leaky Amazon S3 bucket owned by MedCall Advisors in North Carolina. The leak, which exposed approximately 3,000 patients’ protected health information, was discovered by UpGuard, who published a number of redacted screenshots to document the leak.  Their detailed report also noted how Randy Baker, the CEO of MedCall Advisors, did not acknowledge or respond to their notification of the leak, although the leak was secured within hours of them sending the CEO an email.  MedCall also failed to respond to questions put to it by DataBreaches.net.

MedCall Advisors not only failed to respond to UpGuard and DataBreaches.net, but, more importantly, perhaps, they never even asked whether we would securely delete any ePHI we may have acquired. 

In light of their response – or lack of response – you shouldn’t be totally surprised to learn that a few weeks later, DataBreaches.net was  contacted by another researcher, Britton White, who informed this site that MedCall Advisor’s S3 bucket was leaking again.

This time, it appeared that 10,000 files might be available for download…. and/or deletion or editing.  The leak was noted on grayhatwarefare.com’s site, where any curious soul or criminal could find pages and pages of exposed MedCall files listed for the taking.

For the second time in less than one month, MedCall Advisors leaked thousands of patients’ protected health information from their Amazon S3 bucket. This screenshot shows part of how the leak was exposed on grayhatwarefare.com. Some exposed files appeared to include patients’ names in the filenames.

White attached a .csv file that included patients’ name, email address, postal address, phone numbers (fixed and cell), gender, date of birth, and  Social Security Number.

Other files contained recordings of patient evaluations/conversations with doctors, and records completed by doctors following patient or injured employee contacts. These detailed records contained information such as what medications the patient was already on, any allergies, the nature and detail of their complaint, onset, etc.

Even files that appeared to be deleted from the bucket were actually still available for download. And as before, there were was no login required, no encryption of the data, and the files were writable.  DataBreaches.net promptly emailed MedCall Advisors to alert them to this newest leak. Once again, the email notification resulted in security of the data but without any acknowledgement from the firm.

Were any patients, doctors, or client companies notified by MedCall Advisors after the first incident?  Are any going to be notified after this second incident?

How many people may have found the exposed files and downloaded them?

All we can say for sure  is that there is no report/entry from MedCall Advisors up on HHS’s breach tool at this time, and there is no notice on their web site at this time.

After verifying that the patient names belonged to real individuals, DataBreaches.net sent email inquiries to some doctors whose names appeared in some of the injury contact files to ask if MedCall has notified them of any leak. A few patients and employee supervisors whose names appeared in files were also sent emails asking them whether MedCall Advisors has advised them of any data leak incidents.  This post will be updated if any responses are received.

When DataBreaches.net notified Randy Baker of this second leak, this site also asked him how MedCall was going to prevent a third leak.  Baker not only failed to acknowledge the courtesy notification that they were leaking patient data, but he did not answer the question as to what steps they would take to prevent a third recurrence.

Maybe they will answer those questions for OCR. Unless, of course, they decide that this is not a reportable breach under HIPAA.  But even if they are not covered by HIPAA, they likely have some notifications to make to state attorneys general and patients.

 

Related posts:

  • Data of almost 3,000 patients experiencing emergency symptoms exposed online by MedCall Advisors
  • TeamGhostShell posts “master list” of 548 leaks (so far)
  • Ugh. Amazon buckets with 1.8 million pharmacy-related files and 1.2 million telemarketing recordings about diabetic supplies found unsecured
  • HIPAA nightmare: An IT vendor’s error left more than 300,000 files with protected health information exposed
Category: Commentaries and AnalysesExposureHealth DataOf NoteU.S.

Post navigation

← An OCR investigation illustrates the value of investigating small and medium-sized entities
Google Exposed User Data, Feared Repercussions of Disclosing to Public →

4 thoughts on “MedCall Advisors suffers second data leak in less than one month”

  1. Randy says:
    October 9, 2018 at 4:00 pm

    Well I contacted you, Randy

    1. Dissent says:
      October 9, 2018 at 7:31 pm

      Yes, now you have, and I look forward to being able to update the reporting after we speak.

  2. Grayhatwarfare says:
    October 10, 2018 at 4:53 am

    Some credit would be nice:

    Leaks are found at https://buckets.grayhatwarfare.com/

    1. Dissent says:
      October 10, 2018 at 12:57 pm

      You WERE credited in the figure caption.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.