Today’s concerning leak is brought to you by SavantCare. The leak was discovered by an independent researcher who first reported it on his blog yesterday. In his report, @JayeLTee states that he found exposed data that included data from SavantCare employee chats. “Over two-thirds of the 308 users on the chat were for SavantCare, a Mental and Behaviour Health Clinic from the United States, and around 30 users were from OVLG (Oak View Law Group),” JayeLTee reported, noting that the chat was likely set up by Grmtech, a digital marketing and SEO company from India.
“It was difficult to get any total numbers,” he told DataBreaches. “It was 130k files, but those contained a lot of dupes. After some de-duplication, there appeared to be about 87,000 files.” Not all of the files were from SavantCare. He also estimated that there were 6 million chat messages, about 1.8 million of which appeared to be from SavantCare employees.
Some of what JayeLTee saw reportedly included:
CURES reports (Controlled Substance Utilization Review and Evaluation System), patient medical reports, patient registration forms related to ZocDoc check-ins, professional liability insurance certs, lab reports, insurance medication reviews, insurance cards, ROI (release of information) docs, recorded calls, resumes, and more.
JayeLTee also shared some files with DataBreaches that he did not include or report in his blog post. They included audio files of phone conversations between SavantCare staff and patients. Some were routine calls to create appointments or deal with prescriptions, but there were also some sensitive phone recordings concerning lawsuits or potential lawsuits against SavantCare by patients in the U.S. and by the family of a deceased employee in India. JayeLTee waited to publish his findings, as did this site, until the data had been secured.
Noting that neither SavantCare nor GRMTech responded substantively to his disclosure, DataBreaches reached out to SavantCare to seek more details. Having established that SavantCare states that they are a HIPAA covered entity, DataBreaches emailed them a number of questions about the exposed data and its lack of encryption, whether GRMTech had adequate logs to determine how many unauthorized IP addresses may have accessed the data, and whether any regulators or patients have been notified.
They have not replied to that email or to the second request emailed earlier this week.
DataBreaches also emailed some questions to GRMTech in India, but no reply has been received. If SavantCare or GRMTech responds to DataBreaches’ inquiries, this post will be updated.