A slew of sensitive data pertaining to psychologists, doctors and other healthcare professionals involved with an arm of the U.S. Department of Defense was recently left unsecured online.
Chris Vickery, a security researcher with MacKeeper who has stumbled across unsecured internal databases before, discovered the information late last month.
Eleven gigabytes of data, including individuals’ names, locations, Social Security numbers, salaries, and assigned units was publicly accessible, Vickery said in a blog post published on New Year’s Eve. Vickery said the data–which has since been secured–belonged to doctors deployed in the United States Special Operations Command (USSOCOM or SOCOM).
The information, accessible as an unprotected remote synchronization (rsync) service, was the property of Potomac Healthcare Solutions, a Woodbridge, Va.-based health services contractor. The facility supplies health workers to the government through the management consulting firm Booz Allen Hamilton.
Included in the breach is data belonging to “at least two Special Forces data analysts with Top Secret government clearance,” Vickery said Saturday. The CEOs of Potomac Healthcare Solutions weren’t exactly receptive when Vickery brought the files to their attention last Thursday. The files remained online an hour after he alerted the firm by phone and email.
According to his blog, it wasn’t until Vickery called a higher up, “Potomac’s boss,” or someone at Booz Allen Hamilton we’re lead to believe, that the files finally went offline.
“Potomac’s files went offline about 30 minutes later. I may never know for sure if that second phone call had anything to do with the documents finally being secured, but I’d like to think it might have helped,” Vickery wrote. “…Let’s hope that I was the only outsider to come across this gem. Let’s really hope that no hostile entities found it. Loose backups sink ships.”
When reached Tuesday, Booz Allen Hamilton said it was looking into the event.
“We take any allegation of a data breach very seriously, including those from our subcontractors. We are looking into this alleged event,” a spokesperson for the firm told Threatpost.
Potomac Healthcare said late Tuesday it was also investigating the incident.
“We are aware of the report from an independent security researcher alleging an unauthorized exposure of sensitive government information. Upon learning of the allegation, we immediately initiated an internal review and brought in an external forensic IT firm for additional support. While our investigation remains ongoing, based on our initial examination, despite these earlier reports, we have no indication that any sensitive government information was compromised. The privacy and security of information remains a top priority, and we will continue to work diligently to address any issues or concerns.”
Potomac Healthcare Solutions told Threatpost on Thursday that it had completed its investigation but didn’t find any classified government information on the server in question. The server did however contain information on current and former employees:
As a follow-up to the initial communication on this issue, Potomac Healthcare Solutions, with support from an external forensic IT firm, has completed its investigation of a security incident involving the unauthorized access of one of our internal servers. Despite earlier media reports, our review, which was immediately initiated after the initial questions were raised, has confirmed that the impacted server did not contain any classified government information or protected medical or personal data related to active duty military personnel or their families. However, the affected server did contain files with data of a limited number of current and former Potomac employees’ personal information. While we have no evidence to suggest that any employee information has been used inappropriately, Potomac is in the process of proactively reaching out to impacted employees to provide guidance on how they can protect themselves and is offering complimentary credit monitoring and identity theft protection services to affected individuals. The privacy and security of personal information is a top priority, and we are committed to taking steps to prevent this type of incident from occurring again in the future.
Last summer, Vickery uncovered a database of 154 million U.S. voter profiles, including names, addresses, email addresses, and phone numbers, that were left on an unprotected server. Months before that, he discovered a publicly viewable database containing gigabytes of data on children signed up to uKnowKids, a service that allows parents to monitor their children’s activities.
It was only last month, just weeks before the Potomac Healthcare breach, that Vickery discovered a trove of data belonging to Ameriprise Financial investment accounts. That data also included Social Security numbers, along with bank authorization details, confidential internal company documentation, decryption keys, and certificates. Like the Potomac Healthcare Solutions data, no username or password was required to view it; the information was simply stored on a NAS device that wasn’t secured.
This story was updated on January 5, 2017 to include Potomac Healthcare’s statement.