Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about a non-password-protected database that contained 148,000 records belonging to InHouse Physicians — a healthcare provider that offers on-site medical services and wellness programs to organizations, including corporate health and wellness solutions, event medical services, and occupational health programs.The database contained documents indicating if the person was cleared to enter an event or tested positive for COVID-19 and denied entry and included names and phone numbers.The non-password-protected database contained 148,415 PDF documents totalling 12 GB. Each document contained the name of the individual and indicated whether they were cleared or denied entry to conferences, events, or other functions based on the results of medical screenings. The documents indicating denials included instructions of what to do if the individuals were experiencing symptoms of COVID-19. Each document contained the logo and phone number of Illinois-based InHouse Physicians. I immediately sent a responsible disclosure notice, and public access was restricted shortly after. InHouse Physicians acted fast and professionally to secure the documents and thanked me for the notification and bringing it to their attention. Although the documents belonged to InHouse Physicians, it is not known if they managed the database or if it was managed by a third party.According to their LinkedIn profile: InHouse Physicians is a global provider of innovative onsite healthcare solutions that assist corporations in reducing healthcare claims. Using a value-based approach, our “next generation” worksite clinics reduce healthcare costs while improving health outcomes that matter most to patients.During the COVID-19 pandemic, healthcare providers and organizations collected vast amounts of personal and medical data, as testing was often mandatory to attend events, work, or travel. The emergency situation and the need to share vast amounts of information across different healthcare systems, government agencies, and patients caught many organizations unprepared for mass data storage, data protection, and privacy. Both public and private health providers had to collect and store test results, vaccination records, contact-tracing information, and personal health details of millions of individuals with little to no planning or guidance. Now that the pandemic is behind us, there is a serious risk of these databases being abandoned or left unsecured and posing potential security and privacy threats. This data exposure of COVID-19 era documents is a prime example of how healthcare organizations should prioritize auditing and reviewing what information they have stored, who has access to such information, and whether the data should be given an expiration date once it is no longer in active use.
This screenshot shows the name and phone number of an individual who was not cleared for entering an event. The person was instructed to consult a physician if they were exhibiting symptoms of COVID-19.
This screenshot shows how clearance testing documents for events appeared in the database. The file name included the name of the event and the phone number of the attendee while the document itself showed the individual’s name and status of the testing results as at an indicated date.
This screenshot shows the name of an individual that was cleared for entry. ❮❯
In the publicly exposed PDF files, I saw information indicating statuses of attendees for a wide range of events such as investor forums, family planning services, and other potentially sensitive sectors that could be high-value targets for cyber criminals. For verification purposes, I selected a random sample of documents from the database, and I looked up the names and phone numbers on search engines and open source tools available to the general public. By doing this, I was able to easily obtain further identification details on the individuals from the sample. This means it would be easy for criminals to exploit the exposed information and target individuals with phishing campaigns or social engineering tactics. I am not saying these individuals are at imminent risk of fraud, I am only providing hypothetical scenarios for educational purposes of how these exposed data points could potentially be used by malicious actors.According to a report by DarkReading, there were an estimated 24+ billion credentials circulating on the dark web in 2022. This is a massive amount of data that criminals can use to build a complete profile of potential victims. Once high value targets are selected, nefarious actors can source information from known public data and then cross-reference that with the ever-growing amount of exposed data that is being sold or dumped on the dark web. In this case, the names of some of the files I saw included the first and last names of individuals as well as their phone numbers.One potential risk of exposed phone numbers would be SIM cloning, also known as SIM swapping or SIM hijacking. There are numerous documented cases of cyber criminals using the victim’s phone number, supplemented by additional personal information, to impersonate the victim and convince a mobile provider to issue a new SIM card. Once the attacker has successfully swapped the SIM, they gain control over the victim’s phone number and mobile account, allowing the criminal to receive calls, texts, and intercept any two-factor authentication codes sent to the number associated with the account. This also means criminals could potentially reset passwords for accounts linked to that number, such as email, social media, banking accounts, and more.According to a warning issued by the FBI Internet Crime Complaint Center (IC3), in 2021, victims of SIM swapping reported losses of more than $68 million. That represents an increase of nearly 460% in just one year. It also indicates a growing risk of a very non-technical crime that relies on choosing a target, gathering exposed data, and using social engineering tactics. In November 2022, criminals were able to steal $400 million in cryptocurrency after they SIM-swapped an AT&T customer by using a fake ID and impersonating them at a physical retail store. I am not saying that patients or customers of InHouse Physicians are at risk of a social engineering attack or of being a victim to SIM swapping, I am only highlighting how SIM swapping works and the potential risks involved for educational purposes on the importance of data protection.
Protecting yourself from SIM swapping and social engineering
Unfortunately, there is no one-size-fits-all approach to preventing criminals from targeting victims with an ever-growing list of tools and methods. As a general rule, my advice is to stay vigilant and be aware of the most common scam tactics used by criminals — that can help prevent falling victim to the scams yourself. However, SIM swapping is a serious potential risk because it primarily depends on the mobile provider and their internal policy for verifying customers. In this case, it is important to ensure that your mobile service provider offers additional security measures before authorizing any changes to your account or issuing a new SIM card. When possible, I would recommend using app-based Two-Factor Authentication (2FA) as they do not rely solely on the phone number and add an additional layer of protection.Social engineering is by far the biggest threat nowadays, as it is estimated that 98% of cyber attacks involve some form of social engineering. Gone are the days when we could easily spot potential fraud by identifying grammatical mistakes or when the criminals simply guessed personal information — now the threats are personalized and individually targeted. In 2023, the FBI issued a warning highling how criminals are using artificial intelligence to successfully launch social engineering attacks. My advice is to always be cautious about sharing personal information online or over the phone — always verify that the person or organization requesting your personal, banking, or health information is who they say they are. By understanding how phishing attempts and other tactics are used to gather personal information, you can identify suspicious activity and protect yourself online and offline.Cloud storage databases containing COVID-19-era information are potentially vulnerable to unauthorized access because of the lack of active management or regular security updates.It is important for organizations that collect and store medical or health records to have information retention policies, which include implementing time limits and expiration dates for data stored. This can help ensure that the data that is not actively being used or is no longer relevant is deleted or archived securely offline. The massive data collection of the COVID-19 era offers many lessons that the medical industry can learn from when it comes to data protection and privacy. Mistakes happen and identifying vulnerabilities can help prepare us for the next chapter, whatever that may be.I do not imply any wrongdoing by InHouse Physicians, nor do I claim the information contained in the exposed PDF files was ever at risk. It is not known how long the documents were exposed or if anyone else gained access to the publicly accessible database. Only an internal forensic audit could identify this information. As an ethical security researcher, I do not download the data I find and only take a minimal number of screenshots for verification and reporting purposes. I publish my findings for educational purposes and to promote cyber security and advocate for data protection best practices.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
