Breach said to expose more than 11GB of data on U.S. Special Ops medical professionals

A white hat hacker says he notified DoD subcontractor Potomac Healthcare on Dec. 29, but the files remained online for more than an hour after the initial warning.
By Jessica Davis
11:57 AM

Subcontractor Potomac Healthcare exposed more than 11 gigabytes of sensitive data for health workers employed by the U.S. military's Special Operations Command, or SOCOM, according to security researcher Chris Vickery.

Potomac Healthcare is a Department of Defense subcontractor, which provides health workers to the government through management consulting firm Booz Allen Hamilton.

Vickery, a white hat hacker with MacKeeper, discovered the flaw in an unprotected remote synchronization service and brought the information to the attention of Potomac Health via both phone and email, he said, but after an hour the data remained online.

He continued to alert what his blog stated were higher ups, or "Potomac's Boss," and only then did the files go offline 30 minutes later.

"Let's hope I was the only outsider to come across this gem," said Vickery in a Dec. 31 blog post. "Let's really hope that no hostile entities found it. Loose backups sink ships."

The data included names, locations, Social Security numbers, salaries and assignment units for psychologists, nurses and other SOCOM workers – some of which had top secret clearances, he said. The postings dated back to 1988.

The leak appears to be caused by a misconfigured data backup by Potomac IT staff, Vickery said.

"We're aware of the report from an independent security researcher alleging an unauthorized exposure of sensitive government information," a Potomac Health spokesperson told Threatpost. "Upon learning of the allegation, we immediately initiated an internal review and brought in an external forensic IT firm for additional support.

"While our investigation remains ongoing, based on our initial examination, despite these earlier reports, we have no indication that any sensitive government information was compromised," the spokesperson added. "The privacy and security of information remains a top priority, and we will continue to work diligently to address any issues or concerns."

A Booz Allen Hamilton spokesperson also told Threatpost it was looking into the incident.

This isn't Vickery's first major discovery: He uncovered a database of 154 million U.S. voter profiles last summer that were reportedly left on an unprotected server. In December, he said he found a cache of Ameriprise Financial Investment accounts that included Social Security numbers, bank authorization details and confidential company details.

Twitter: @JessieFDavis
Email the writer:

Like Healthcare IT News on Facebook and LinkedIn