A massive database containing 1.6 million clinical trial records was found exposed online without password protection, potentially compromising sensitive patient information.
Security researcher Jeremiah Fowler discovered an unprotected 2TB database containing 1,674,218 clinical trial records belonging to DM Clinical Research. The exposed data included PDF survey results with sensitive personal and medical information.
The database was secured within 24 hours after Fowler notified DM Clinical Research. The company stated they are "reviewing the details of the findings to ensure a swift and comprehensive resolution."
The exposed information includes highly sensitive data such as names, medical conditions, vaccination status, and pregnancy information. This type of data could be exploited by insurance companies or used for identity theft and phishing scams.
While this breach involves protected health information (PHI), it may not fall under HIPAA regulations since DM Clinical Research isn't technically a covered entity. This shows a significant gap in healthcare privacy protection regulations.
The incident may lead to increased scrutiny of clinical research data protection practices. Under Texas law, if the breach affected more than 250 Texans, DM Clinical Research must notify the state Attorney General within 30 days.
Patient names, phone numbers, email addresses, dates of birth, vaccination information, current medications, health conditions, and doctor names.
The duration of exposure remains unclear. Only an internal forensic audit could determine if anyone accessed the data before its discovery.
While notifications haven't been issued yet, individuals who participated in DM Clinical Research trials should monitor their accounts for suspicious activity and be alert for potential phishing attempts.