The publicly exposed database was not password-protected or encrypted, containing over 4.8 million records, including sensitive patient information and medical documents.
Fowler states that the exposed bucket was indexed with links to files since at least July 2023, raising concerns about how long the database remained unprotected.
Responsible disclosure was handled efficiently, with the public access to the database being restricted the day after the breach was reported.
It remains unclear if Care1 or a third-party contractor managed the exposed database, as well as whether unauthorized access occurred.
Collection
[
|
...
]