Two misconfigured databases breach thousands of MedCall Advisors patient files

Two misconfigured databases breach thousands of MedCall Advisors patient files

A screensnap of the Amazon S3 bucket indicating thousands of patients’ protected health information were leaked from from MedCall Advisors. Credit:

For the second time in one month, a researcher discovered North Carolina-based MedCall Healthcare Advisors has been leaking patient data through its misconfigured Amazon S3 storage bucket.


Security researcher Britton White contacted that MedCall, a workers compensation and healthcare solutions vendor, left a storage bucket containing 10,000 files exposed to the internet, available for download and or deletion or editing.

In fact, the database was listed on the searchable tool, which publicly lists current open Amazon S3 buckets.

Some patient names were included in filenames, and the database included names, email and postal addresses, phone numbers, dates of birth and Social Security numbers. Other files had recordings of patient evaluations and conversations with doctors, along with medications, allergies and other detailed personal health data.

What’s worse is that this is the second time MedCall has left a database like this exposed to the public in a month.


Security firm UpGuard’s Cyber Risk team discovered the first misconfiguration in mid-September. The detailed medical data for employees of 181 of the tech vendor’s 181 business locations and personally identifiable information for 3,000 people was exposed through an unsecured Amazon S3 storage bucket.

The leak of 7 gigabytes of data were PDF injury intake forms across MedCall’s 181 business locations, which included the descriptions of injuries and illnesses, along with records of phone calls between patients, MedCall operations and physicians.

There was also a directory of CSV files that included PII, complete with Social Security numbers for about 3,000 people enrolled in MedCall’s services.

There is no entry on the Department of Health and Human Services’ breach reporting tool for either of these breaches. While it’s uncertain if MedCall is covered under HIPAA, the patients involved in the breach should still be notified under state laws.

Under North Carolina law, businesses are required to report breaches to the Attorney General. But the state is still considering creating one of the strictest breach notification laws, which would require businesses to report a breach in just 15 days.

Despite numerous attempts, MedCall did not respond to a request for comment.

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.

Twitter: @JF_Davis_
Email the writer:

This article is automatically posted by WP-AutoPost Plugin

Source URL: