The security research team at VPNOverview has uncovered a data breach that could have compromised nearly 100,000 doctors, nurses, and other healthcare professionals working at major hospitals across the United States.
PlatformQ — self-described as a “leading provider of digital engagement solutions” for healthcare (PlatformQ Health) and education (PlatformQ Education) — inadvertently published a database backup stored in a misconfigured AWS S3 bucket. Based on the findings, our security team believes the leak was marketing data for the generic drug Zarex.
PlatformQ Leaks Zarex Medical Marketing Data
VPNOverview’s security team discovered a trove of sensitive personal data stored in a backup database and across thousands of other files. From our research, we found that the information is connected to the marketing of Zarex, a generic drug used to treat and prevent stomach ulcers.
“It seems like the spreadsheets were being imported into the marketing database,” VPNOverview lead cybersecurity researcher Aaron Phillips noted. “I took a screenshot of the Zarex directory. A lot of the files had personal information, and we found all that same information in the database.”
What information was compromised?
The leak exposed sensitive information, such as:
- Full names
- Personal email addresses
- Job titles
- Work addresses
- Home, work and private phone numbers
- National provider identifier (NPI) numbers
It’s important to note that NPIs — 10-digit codes used to identify medical professionals and providers — are often used on Medicare or Medicaid forms.
The identifiers can also be entered to scan publicly available government databases that provide even more detailed information on individual medical professionals, such as mailing addresses, practice addresses, and other identifiers.
The database our security team recovered had 98,922 entries. We found a few dozen test entries, but the majority of the database contained personal information.
Email handles like @gmail.com, @yahoo.com, and @verizon.com also hint that these are personal email addresses, instead of publicly available contacts.
“One thing that stood out to me was the large proportion of personal email addresses,” Phillips said. “If this data had been scraped from a federal registry, I would expect most of the email addresses to have healthcare domains. A lot of the addresses don’t match up with the federal registry, either. This looks like marketing data that was mishandled to me.”
Doctors and Nurses at Major Hospitals Affected
Per the screenshots above, the data clearly identifies doctors, nurses, and other healthcare workers at hospitals across the US. Though 255 different hospitals were affected, here is a selection of some of the major hospitals where workers’ information were exposed:
- Yale New Haven Hospital
- Cleveland Clinic
- Barnes-Jewish Hospital
- Johns Hopkins
- Mount Sinai Medical Center
- Beaumont Hospital
- Saint Francis Hospital
- Memorial Hermann-Texas Medical Center
- Tampa General Hospital
- Massachusetts General Hospital
- Duke University Hospital
- Miami Valley Hospital
- MedStar Washington Hospital Center
- Houston Methodist Hospital
- Medical City Dallas
- Northwestern Memorial Hospital
- Henry Ford Hospital
- New York Presbyterian Hospital
- University of Maryland Medical Center
- Hackensack University Medical Center
Timeline
We contacted PlatformQ in February 2022 to inform them of the breach, but received no response. We discovered that they had removed access to the database and spreadsheet files by April 2022, thereby sealing the leak.
We reached out to PlatformQ again on several occasions but received no response to our request for comment.
Here’s a timeline of our PlatformQ investigation, from discovery to mitigation:
| Event | Date |
|---|---|
| VPNOverview security team discovered the files | February 2022 |
| We notified PlatformQ via email | February 2022 |
| PlatformQ removed access to the database and spreadsheets | April 2022 |
Risks of Such a Breach
The risks of having this much variety of personal information exposed are extremely dangerous. Malicious actors could leverage this information to orchestrate extremely specific spam emails, calls, and texts. It could also enable targeted phishing attacks and identity fraud.
Doctors and other healthcare professionals are at higher risk of becoming victims of cybercrime. One of these reasons may very well be the large amount of personal information that the healthcare industry is required to collect, store and publish.
NPIs offer up more in-depth information
In this case, our security research team feels NPI numbers in particular could be a stepping stone toward committing Medicare or Medicaid fraud.
An NPI is a 10-digit code that identifies medical professionals and healthcare providers in the US, and can be used by patients and insurance providers on Medicare and Medicaid forms.
While the leaked PlatformQ data contains sensitive personal information itself — like email addresses, cell phone numbers, and job titles — the NPI numbers can also reveal further publicly available information.
Here are some fields that are present in a health professional’s NPI record:
- Full name and any other names
- Gender
- NPI type (individual or organization)
- Status
- Full mailing address
- Full address of primary practice, primary taxonomy and selected taxonomy
- Health information exchange
- Other identifiers such as 10-digit Medicaid serial numbers
“It just seems like carelessness to me,” Phillips said. “PlatformQ should have paid more attention to cloud security basics. They spent time and money gathering personal data, then lost track of it. Hopefully, we closed this breach before anyone noticed and took the data.”
Original Cybersecurity Research from VPNOverview
With the recent barrage of data breaches and ransomware attacks crippling businesses and governments around the globe, maintaining the highest standards of cybersecurity has become paramount. At VPNOverview, we strive to inform our readership of the threats they face online, and how to pursue online privacy while not compromising their internet freedom.
Our independent security research team has begun rooting out potentially dangerous exploits, vulnerabilities, and leaks and closing them before cybercriminals and other bad actors can get to them.
Here’s a rundown of some of our recent research and reports:
- We found another leak of sensitive data via a misconfigured S3 bucket. Sephora leaked information on 500,000 customers.
- We discovered that the popular app Clubster had leaked user data, and also found additional vulnerabilities were present.
- Our lead researcher worked with SEGA Europe to secure sensitive files that were also inadvertently stored on a public database.
- We conducted a survey on how Republicans and Democrats view online privacy under the Biden Administration.
