Recently I discovered a non-password protected database that contained 886,521,320 records. The total size of the dataset was 68.53 GB and contained medical related data. Upon further research there were multiple references to company called Deep6.AI including internal emails and usernames. We immediately sent a responsible disclosure notice and public access was restricted shortly after. The records appear to contain data of those based in the United States. Deep6 takes raw medical data and tries to manage or organize it.

The type of data collected were divided in to the following sections:

Date, document type, physician note, encounter IDs (An interaction between a patient and healthcare provider(s) for the purpose of providing healthcare service(s)), patient ID, note, uuid, patient type, noteId, date of service, note type (example Nursing/other), and detailed note text. Some of this information was encrypted, but the notes and Physician information were in plain text. The danger would be if the patient ID were decrypted and the identity were exposed it would be clear to see their medical issues or diagnoses.

Click Here to read my full report: