- A clinical research organization’s dataset has been discovered online
- The documents include Personally Identifiable Information (PII)
- It’s not clear whether criminals have accessed the information
A dataset belonging to a clinical research firm has been discovered publicly exposed online without an encryption or password-protection.
Security researcher Jeremiah Fowler discovered the DM Clinical Research database containing 1,674,218 records, totaling 2TB, including names, medical information, phone numbers, email addresses, medications, and health conditions – along with other data which would put anyone exposed at risk of fraud, identity theft, or social engineering attacks.
Although the name of the dataset indicates the details belong to DM Clinical Research, it’s not clear if this was owned and managed by them directly or by a third-party – but here’s what we know so far.
Valuable information
It’s unclear how long the database was exposed before the researcher sent a disclosure notice, but it was no longer accessible ‘within hours’ of the notice being sent. There’s a chance that threat actors may have accessed the information, but only an internal forensic audit could determine this.
“Our team is currently reviewing the details of your findings to ensure a swift and comprehensive resolution,” DM Clinical Research replied to the disclosure. “Protecting sensitive data is a cornerstone of our organization’s operations, and we are committed to addressing any vulnerabilities in alignment with best practices and applicable laws & regulations”.
Healthcare information is extremely sensitive and highly valuable for threat actors. Because of this, healthcare organizations are being hit hard by cyberattacks – especially by ransomware and data breaches – which is why data protection is so important in industries that hold personal information.
In 2024, a cyberattack led to the compromise of 190 million American, forcing some applications offline and UnitedHealth also suffered a ransomware attack which resulted in customer information leaked onto the dark web – highlighting just how attractive the industry is for criminals.
Serious consequences
This could be really damaging for patients, especially those with serious medical conditions that may come with stigma, like psychiatric conditions, HIV, or cancer. If criminals access your medical information, they can construct social engineering attacks pretending to be a doctor, health insurance company, or medical professional.
“Any public exposure of health-related information could have potentially serious implications. While things like financial data and some PII can change over time, personal health histories do not,” Fowler points out.
For companies, there are steps you can take to protect your data so that your organization is protected. Security breaches can cost an organization millions, not just in direct costs, but in reputational damage for customers and business partners.
To ensure you’re storing customer data safely, encryption software is incredibly important. Businesses have a legal responsibility to protect their customer records, which means un-encrypted datasets could result in legal action and financial loss.
Using real-time threat and intrusion detection can be a vital tool too, like endpoint detection software, which works by scanning for intrusions and suspicious activity, and alerting security admins if anything is found.
After a breach, it’s important for firms to be transparent to mitigate the damage. This will ensure lasting consumer confidence and trust between your organization and its partners.
For individuals affected by a data breach, it’s crucial to monitor financial accounts, bank statements, and transactions to look for anything out of place.
Especially important is being on the lookout for social engineering attacks like phishing – with medical information, criminals may pose as trusted professionals or, in the US where healthcare can compromise your financial situation, take advantage of patients who may desperately need money.
Be wary of unexpected communications, any unrecognised emails or phone calls, and don’t open any attachments that aren’t from 100% trusted sources. Make sure you create a strong and secure password, and don’t reuse it, especially for financial and health organizations.
