Jeremiah Fowler discovered a non-password-protected database that contained more than 4.8 million records belonging to Care1 — a Canadian company offering AI software solutions to support optometrists in delivering enhanced patient care:
The publicly exposed database was not password-protected or encrypted. It contained over 4.8 million documents with a total size of 2.2 TB. In a limited sampling of the exposed documents, I saw eye exams in.PDF format, which detailed patient PII, doctor’s comments, and images of the exam results. The database also contained.csv and.xls spreadsheets that listed patients and included their home addresses, Personal Health Numbers (PHN), and details regarding their health.
This time, responsible disclosure went quickly, smoothly, and appropriately on both ends:
The name of the database as well as the documents inside it indicated that the records belonged to Care1, a Canadian medical technology company that provides software and AI reporting for optometry doctors specializing in retina and glaucoma treatments. I immediately sent a responsible disclosure notice, and public access was restricted the following day. It is not known how long the database was exposed or if anyone else gained access to it. Only an internal forensic audit could identify additional access or potentially suspicious activity. I received a reply from an administrator immediately after my disclosure notice stating: “Thank you for bringing this to our attention. Our team is currently working on resolving this issue”. It is not known if the database was owned and managed by Care1 directly or via a third-party contractor.
Read more on vpnMentor.
Fowler states, ” It is not known how long the database was exposed or if anyone else gained access to it,” but the exposed bucket was indexed with links to files since at least July 2023 — and possibly earlier. Hopefully Care1 or their vendor has access logs going back before July 2023.
So will Care1 issue any public disclosure or notify physician practices or patients about the formerly exposed s3 bucket? We will have to wait and see.