EyeCare Services Partners (ESP) is a private company with a network of ophthalmologic, optometric and ambulatory surgery centers. It is headquartered in Dallas, Texas. On February 9, an IT student who was searching the internet for exposed datasets noticed that ESP had an unsecured blob listed on GrayhatWarfare. Due to other work, “JLT” (as he has asked to be called on this site) did not start really investigating the leak until March 1.
Inspection of Unsecured Data
When JLT started looking at the exposed blob, he discovered the server had over 500,000 files available for public download without any authorization. The files included transaction logs for the SQL server and database backups for ESP’s practice brands.
JLT informs DataBreaches that there were approximately 50 TB of data in the unsecured blob. He wasn’t able to determine the full scope of the leak or the total number of unique patients affected, but he was able to provide some statistics and estimates:
- The biggest database backup had 3.1 million patients in the patient table with 1.6 million unique Social Security numbers (SSN).
- The total number of unique SSN in the database backups was over 2 million, he estimates. There was one instance where patients’ SSN were encrypted, but he later found the same SSNs in plain-text in another database. “The total number of unique patients was not determined, but there’s likely more than 3.5 million,” he estimated.
- Some databases contained images, but they appeared to be password-protected compressed archives with millions of files.
- There were patient notes, encrypted transaction data, diagnoses, and patients’ details such as whether the patient was a smoker, a veteran, etc.
- Health insurance data in the backups included unencrypted date of birth, patient name, insurer, policy number, patient address, and diagnoses. Some data was in separate tables but could be easily merged.
- Employee fingerprint data — most likely related to door scanners — was also found.
- The server also contained internal databases with credentials and keys to various servers/services. Some were encrypted, but some were in plain-text. JLT did not test the keys or credentials and so does not know if any were valid.
Notifying ESP
On March 15, JLT sent an email to ESP, alerting their CEO and CIO to the situation. “The server was locked down less than 30 minutes after my initial email to them,” he tells DataBreaches. “Some hours later, the CIO emailed me saying they locked it down and inviting me to tell him more. He never asked me any specific questions, though, and he never asked me for my IP address or if I would delete any data,” JLT added.
JLT did not know for how long the blob had been left unsecured or how many people may have accessed or downloaded protected health information from it.
On March 30, DataBreaches emailed James Lumby, the CIO of ESP, and Theresa Bissonnette, their Compliance Officer. The two executives were asked a number of questions about the incident, but no replies have been received.
Given that data was accessed and downloaded, this appears likely to be a reportable breach under HIPAA. If the exposed data fell into criminals’ hands, it could potentially be misused for identity theft or fraudulent purposes. But did it? Hopefully, ESP had good logs and will provide a statement with some forthright answers about access to the exposed data and any downloads.
DataBreaches will continue to monitor this incident to see if it appears on HHS’s public breach tool or the Texas Attorney General’s breach site and will update this post when more information becomes available.