Personal and health information of 918,000 vulnerable seniors was exposed on the Internet for months by a software developer working on a project. No one would have even known about it if the leak hadn’t been found by a guy with “too much time on his hands.” Before you give your personal or health insurance information to telemarketers or firms that call to offer you supplies for diabetes or back pain or other conditions, think twice. And then think again, because do you really know whether the individual or firm you are giving your identity information to is trustworthy or to whom they may be giving it?
On March 25, a Twitter user known as @s7nsins (“Flash Gordon”) contacted DataBreaches.net about exposed data that appeared to contain medical information. He had discovered it in the course of running some Shodan.io searches. Cursory inspection by this blogger revealed that these were likely not patient records held by a HIPAA-covered entity, but the records appeared to contain both personal and health information: names, addresses, dates of birth, telephone numbers, email addresses, social security numbers, health insurance carrier, policy numbers, and information about what types of health problems the individuals had in terms of needing diabetic supplies, back braces, or pain gel.
Not every record had every field completed, and for many of the records, the Social Security numbers and insurance policy numbers appeared to be either truncated, wrong, or missing.
Of the more than 900,000 records, the majority included reference to Blue Cross Blue Shield, United HealthCare, Aetna, Cigna, and other well-known insurers. There were also more than 1 million references to “Medicare” and 3,901 references to “Medicaid.”
The records also made frequent reference to Platinum Marketing Group, HealthNow.co, and certain medical suppliers like Liberty Medical. [Note: The “HealthNow.co” domain and “Health Now Networks, LLC” have absolutely no relationship to HealthNow New York, Inc., which is an independent licensee of Blue Cross Blue Shield.]
Scripts that the telemarketers were to follow in calling patients were also included.
It appeared that this was some kind of marketing database that included telemarketers’ notes on their contacts. Many of those notes contained sensitive information such as that the individual was blind, had an aide named [x] or a child named [y] helping them, or that they had had a stroke, etc. Or concern, it appeared that although a few people were reluctant or declined to give out their health insurance information, many people seemingly gave out their health insurance information to total strangers for the promise of diabetic supplies at lower prices, pain gels, or even free back braces.
So this was not a breach of any health insurer, but who owned these data? The IP address belonged to “MediBoxSolutions.com.” But there was only a screen with an 888 number on its url, the domain registration details were behind a privacy proxy, and voicemail messages left by this blogger on two separate days to the 888 number did not produce the desired results or a call back. Concerned that criminals could be downloading the files, and unable to get a response from MediBoxSolutions, DataBreaches.net reached out to a contact who, in turn, reached out to Amazon. The files were removed from public access shortly thereafter.
But that still left this site with some unanswered questions, including how many people may have accessed the exposed data and who, if anyone, was going to notify over 900,000 people that their personal and health data had been exposed this way?
DataBreaches.net turned to Troy Hunt and HaveIBeenPwned.com for help with the notifications and to Zack Whittaker of ZDNet for help trying to track down the owner of the files. Troy’s report will be available on his blog today, but his initial analyses indicated that there were 321,920 unique email addresses in the database, meaning that 321,920 people were at greater risk of being contacted for scams involving diabetic supplies or receiving targeted phishing emails to obtain other personal information or to inject malware. And almost 600,000 people may still have no idea that their data were exposed for months and may have been accessed by criminals. Troy informed us that over 80% of the email addresses in the files were already in HIBP, suggesting that these lists are being circulating widely by spammers, and perhaps, scammers.
You can read Zack’s full report on ZDNet, but here is some of what ZDNet and DataBreaches.net found in our joint investigation:
- The files originally belonged to HealthNow Networks, also known as Health Now or Health Now Networks (healthnow.co). Although there is no connection to BCBS’s HealthNow New York, Inc., plan, it wouldn’t be surprising if some patients hearing the name “HealthNow” may have erroneously assumed some connection to the respected health insurance plan.
- HealthNow Networks is owned by Dino A. Romano. It was registered as a business in Boca Raton, Florida in March, 2014. It ceased as a Florida business in September, 2015 for failure to file an annual report and fee.
- At some point, Daynier Brown, a software developer with WebbaBox who did work for Romano, obtained a copy of the HealthNow.co database. It was still in his possession after he completed the work for HealthNow.co.
- Romano has opened and closed numerous businesses, including Platinum Marketing Group. Other businesses he has had involvement with include DiabetesHelpNow, Help Now Networks LLC, Welco, LLC, Education Advisors, LLC, Horizon Venture Capital Group, LLC, Platinum Financial Suite 202, LLC, Platinum Telemarketing LLC, Health Now Wellness Management, Inc., Energy Consulting Partners Corp, Equotedata.Com, LLC. – and there are others. We could find no explanation why Romano opened so many businesses and let them become dissolute for failure to file an annual report and pay a small fee. Nor do we know why Romano opened so many businesses in seemingly disparate fields.
- Romano appears to have been in some difficulty concerning securities fraud in 1993 and 2003. We found no evidence that HealthNow.co has been accused of any illegal conduct.
Coordinating with ZDNet, DataBreaches.net eventually contacted Daynier Brown of Webbabox Technologies. In email communications, Brown informed DataBreaches.net that he owns both the MediBoxSolutions.com domain and the 888 number, and that Medibox “is a domain for a temporary staging of files being purged from an older server.” After being contacted by AWS about the data mistakenly left in the root folder, it was removed, Brown stated.
In follow-up communications, Brown explained that, “The data in question was an old system that I developed for healthnow.co in recent years. The files were temporarily placed on the server to get the old crm up and running as the box that I had it sitting on had drive issues and could not run the related platform properly. The system was found to be too unstable and I opted to start a different crm flavor on a MEAN stack. Frankly, I found myself without the time to venture further into it and put the project on hold.”
Brown agreed to determine how many unique IP addresses may have accessed the files while they were unintentionally exposed, but then did not provide DataBreaches.net with that information. Zack Whittaker’s attempts to obtain that information from him were reportedly also unsuccessful. As one consequence, we do not know how many people may have obtained all these files, and that’s concerning. We also do not know if Brown would have ever checked to determine if the files had been accessed, and if he would have notified anyone or any regulator of the leak – and that’s food for thought, too.
Asked to comment on the leak or the risk these kinds of databases pose, Blue Cross Blue Shield Association (BCBSA) issued the following statement:
BCBSA has aggressive measures in place to address and combat the ever-evolving and heightened cybersecurity threats that are impacting every industry. As part of these efforts, we have an expansive intelligence and reporting system and dedicated fraud departments and Special Investigation Units who are conducting analytics to report, investigate and help to reduce the incidence of fraud. We are aware of this scheme involving a suspicious telemarketing company that has no association with our organization, and we alerted law enforcement, including the FBI, to this issue. We ask that all consumers be extra vigilant in not providing personal information to anyone over the phone unless they have verified to whom they are providing such information.”
Kaiser Permanente, Aetna, and AARP were also asked for their comments, but did not reply to emailed inquiries.
For consumers, or for those of us who have parents or family members with diabetes or other chronic conditions, this leak and BCBSA’s strong caution should serve as a useful reminder that a lot of sensitive health information is not regulated by HIPAA or HHS, and that there may be many copies of unencrypted databases or lists floating around in many hands and many places. To be clear: DataBreaches.net is not suggesting that HealthNow.co or any of its related entities or Mr. Brown have done anything that is illegal. That said, the AARP has previously tried to warn seniors about the risks of scams related to diabetic supplies, and this leak makes clear that many people are still giving out identity information and insurance information on the phone to total strangers offering diabetic supplies and other types of supports.
If HHS has no regulatory authority over many of these entities, perhaps the Federal Trade Commission should open an investigation into whether some telemarketers are failing to provide reasonable data security for consumers’ personal and health information. As Zack notes in his report, the FTC has been taking action against telemarketers since the 1990’s, but it could also use its enforcement authority to look at the issue of whether they are using reasonable security given the very personal and medical nature of the information they are collecting, storing, and sharing.