The security research team at VPNOverview has uncovered a data breach that could have compromised nearly 100,000 doctors, nurses, and other healthcare professionals working at major hospitals across the U.S. VPNOverview has reached out to Digital Journal with details.
VPNOverview contacted PlatformQ in February 2022 to inform them of the breach, but received no response. They discovered that they had removed access to the database and spreadsheet files by April 2022, thereby sealing the leak.
According to VPNOverview, PlatformQ accidentally published a database backup file in a misconfigured plus AWS S3 Bucket, it was believed the file contained marketing for the drug Zarex.
The leak exposed sensitive information that would have been useful for hackers, including healthcare worker’s full names, personal email addresses, job titles, work addresses, phone numbers and NPI numbers – a 10-digit number that will be used to identify a person to their healthcare partners, including all payers, in all HIPAA standard transactions (this is a reference to the Health Insurance Portability and Accountability Act of 1996).
Such identifiers can also be entered to scan publicly available government databases that provide even more detailed information on individual medical professionals, such as mailing addresses, practice addresses, and other identifiers.
In total, workers’ information from 255 different hospitals across the U.S. was exposed. Some of the hospitals affected include.
| Hospitals Affected | |
| Yale New Haven Hospital | Cleveland Clinic |
| Barnes-Jewish Hospital | Johns Hopkins |
| Mount Sinai Medical Center | Beaumont Hospital |
| Saint Francis Hospital | Memorial Hermann-Texas Medical Center |
| Tampa General Hospital | Massachusetts General Hospital |
| Duke University Hospital | Miami Valley Hospital |
| MedStar Washington Hospital Center | Houston Methodist Hospital |
| Medical City Dallas | Northwestern Memorial Hospital |
| Henry Ford Hospital | New York Presbyterian Hospital |
| University of Maryland Medical Center | Hackensack University Medical Center |
Mirza, Privacy Expert, at VPNOverview tells Digital Journal: “Our discovery identifies doctors, nurses, and other healthcare workers at major hospitals, among others, across the US. What makes it distinct is that we came across NPI numbers.”
Mirza adds: “Cybercriminals can assemble and misuse the combination of PII and NPI data and exploit personal and professional information belonging to doctors, nurses, and administrators. This can cause spam emails, calls, and texts affecting medical professionals. Worse yet, targeted phishing attacks and identity fraud. As such, entities that operate in essential sectors like healthcare must be cautious about cloud security basics.”
