Care1 Exposed: Millions of Patient Records Leaked in Massive Data Breach
The Canadian company Care1, specializing in the application of artificial intelligence in ophthalmology, has found itself embroiled in a scandal following a data breach. Cybersecurity researcher Jeremiah Fowler uncovered a publicly accessible database of 2.2 TB, containing over 4.8 million records.
The leaked data included ophthalmological examination results in PDF format, featuring patients’ personal information, physician comments, and diagnostic images. Additionally, the database contained .csv and .xls files with home addresses, unique personal health numbers (PHN), and other sensitive health information.
The database’s title indicated its association with Care1, which provides software solutions for ophthalmologists focusing on retinal and glaucoma treatments. Following Fowler’s notification, access to the database was closed the next day. However, it remains unclear how long the data was exposed and who might have accessed it during that time.
A representative of Care1 acknowledged receiving the notification and stated that the team is working to resolve the issue. Nevertheless, it remains uncertain whether the database was managed directly by the company or by a third-party contractor. Only a thorough internal audit can determine whether unauthorized access occurred.
Particularly concerning is the exposure of unique personal health numbers (PHN), which are used in Canada to identify patients. While PHNs are not directly tied to financial fraud, their combination with other personal information could facilitate the creation of detailed identity profiles.
Care1 claims that its solutions have already supported over 150,000 patient visits and that its network of ophthalmologist partners exceeds 170. On LinkedIn, the company describes itself as a leader in high-tech ophthalmological solutions, transforming clinical practices through advanced technologies.
This incident raises critical questions about the storage and protection of medical data. A breach of this magnitude poses a severe threat to patient confidentiality and undermines trust in digital technology-driven systems.
