Care1, a Canadian medical technology company specializing in AI-powered optometry solutions, has exposed over 4.8 million records spanning a total of 2.2 TB.
Data exposed has eye exam reports in PDF format, including detailed patient PII (Personally Identifiable Information), doctors’ comments, and exam images.
This apart, there were spreadsheet files (.csv and .xls) containing patient addresses, Personal Health Numbers (PHNs), and other health-related details.
A cybersecurity researcher, Jeremiah Fowler, discovered the unprotected database containing sensitive patient information.
The database, clearly linked to Care1, was reported to vpnMentor by Jeremiah Fowler. Public access to the database was restricted within a day of the responsible disclosure notice.
A Care1 administrator responded promptly, stating, “Thank you for bringing this to our attention. Our team is currently working on resolving this issue.”
It remains unclear how long the database was exposed or whether it was accessed by unauthorized parties. A forensic audit is necessary to assess the full extent of the breach.
In Canada Personal Health Numbers (PHNs) serve as lifelong unique identifiers for patients in the healthcare system. While PHNs alone may not lead to financial fraud, combining them with other personal data could enable identity theft or unauthorized access to medical services.
Medical records are considered highly sensitive, and their exposure could have serious implications, including misuse of personal information and privacy violations.
Care1 offers AI-driven software solutions tailored for optometrists, specializing in retina and glaucoma treatments. According to its LinkedIn profile, the company has managed over 150,000 patient visits and partnered with 170 optometrists worldwide. Care1 promotes its innovative use of AI to transform eyecare practices.
The healthcare sector remains a prime target for cyberattacks, particularly ransomware. In the U.S., the FBI documented 440 ransomware attacks on healthcare systems in 2023 and the first half of 2024.
Canada has experienced fewer breaches, with only 14 major cyberattacks compromising patient data since 2015. However, this recent incident highlights vulnerabilities in medical information systems.
The Care1 breach underscores the critical need for stringent security measures in healthcare data management. With medical information being a prime target for cybercriminals, organizations must adopt advanced encryption, regular audits, and robust data protection protocols to safeguard sensitive patient data.
Baburajan Kizhakedath
