Report: Medical Data Leaked for Hundreds of Thousands of Users (including US Veterans)
vpnMentor's research team has found a breach in the xSocialMedia database.
Noam Rotem and Ran Locar, our leading cybersecurity researchers, discovered vulnerabilities in multiple databases operated by xSocialMedia. Nearly 150,00 personal records were exposed, but that's not all they found.
This included deeply personal medical testimonies, identifying information, and contact information for users. Additionally, we were able to access a list of xSocialMedia's invoices, customer data, and exact numbers from their advertising campaigns for injury-check.com.
The xSocialMedia leak allows access to names, addresses, phone numbers, and medical history that were provided by their leads.
Timeline of Discovery and Reaction
- June 2: We discovered the leak in xSocialMedia's database
- June 3: Linked the breach back to xSocialMedia
- June 5: We contacted xSocialMedia about the breach
- June 11: We contacted xSocialMedia a second time
- June 11: xSocialMedia responded
- June 11: The database was closed
Examples of Entries in the Database
xSocialMedia is a Facebook marketing agency that focuses on running campaigns for medical malpractice lawsuits. According to their website, they create Facebook ad campaigns for 230+ clients. Their ads have generated over 16,000 leads.
The ads that xSocialMedia post on Facebook lead users to a variety of "injury-check.com" domains, depending on their specific ailments. Examples include https://ied-fund.injury-check.com and https://ivcfilter-risk.injury-check.com. xSocialMedia lists 10 different kinds of injury lawyers that they work with.
Once Facebook users have entered one of the injury-check.com domains, they are encouraged to fill out a form with their medical data to see if they qualify for legal assistance.
We could access almost 150,000 responses to these forms.
The exposed data includes:
- First and last name
- Email address
- Street address
- Phone number
- IP address
- Circumstances of the injury
- Explanation about the injury
All of the entries are tagged with "xsocial_submission_id", which demonstrates that these form submissions were sent by those who clicked on one of the Facebook ads. Since the tag didn't include the full company name, it took us longer to link the data breach back to xSocialMedia as the source of the leak.
The injuries described in the database vary from combat injuries suffered by American veterans to injuries caused by medical devices, pesticide use, medication side-effects, and defective baby products.
The lead above shows data that a US veteran submitted describing their combat injuries. In the description of the injuries the veteran sustained while in combat, they left information that may not have been disclosed to anyone else. Employers, for example, may not know an employee is suffering from PTSD.
This submission included deeply private symptoms that this person is still suffering as a result of their surgery. Using the information provided in the database, we could easily find their social media accounts and location. Though they did not submit their address, the inclusion of an IP address is enough to discover their location.
This also gave us insight into their employment situation. The symptoms this person still suffers could easily ruin their professional reputation.
Here's another entry that came from a veteran. This is for a case about malfunctioning earplugs. The extent of the veteran's injury may not be something they disclose to everyone.
xSocialMedia didn't just leak private data regarding their leads. Their database also leaked their own bank account information in invoice records they sent to clients.
We could also see their clients' names addresses, phone numbers, and email addresses. Much of this is public information, but the specific amount each company is paying xSocialMedia, wouldn't otherwise be disclosed.
The amount of data that is easily accessed through xSocialMedia's database doesn't stop there. We can see more than 300 different clients who are collecting data in order to build lawsuits. We can view the code for their website forms, as well as metrics for their Facebook ads. Most companies don't disclose specific metrics per campaign.
Here, we can see what their results are per website campaign, in addition to the amount of money their clients are paying for each campaign.
Data Breach Impact
This data breach has far-reaching consequences, especially because of the sensitive health data included in xSocialMedia's database. Medical records are heavily protected in the US by HIPAA laws. Practitioners and other healthcare providers cannot release any identifying information about their patients without written permission.
These laws can protect patients' welfare, their families, and their jobs. Healthcare providers cannot even confirm a patient to an outside party without a release. Patients may worry that if their workplace, for example, had open access to their medical records, it could be used against them. The only data allowed to be released outside of designated channels is data that does not have any identifying information attached.
Based on the testimonies recorded in xSocialMedia's database, many of these people were recording their private medical issues. Some may not have disclosed these symptoms to anyone but their doctors. They may fear losing their jobs or how their friends and family will treat them if their symptoms were public knowledge. Some may worry about being shamed for their medical conditions, or even blackmailed.
Not only that, these people can be easily traced by the identifying information attached to their testimonials. A bad actor could take this information and use it to test the security of these people's other accounts. Given the number of veterans with detailed accounts of their injuries in the database, terrorists could take advantage of their data to harm them further as an act of revenge.
The people who filled out the forms linked in xSocialMedia's ads were already suffering from medical problems that caused enough pain and trauma that they were looking for legal help. Discovering that their data was leaked without permission could easily add to their trauma.
xSocialMedia should have taken more care to secure their databases before they began collecting private medical information. The firm itself may not be subject to HIPAA compliance because patients are free to disclose their health information to the parties of their choice. However, in this case, many patients did not expect the possibility that their testimonies could be released to the public.
xSocialMedia specifically focuses its Facebook ad campaigns on the medical malpractice industry. It's a breach of ethics to not have higher security measures in place from the start.
Furthermore, this data leak doesn't just hurt those suffering from medical malpractice. It hurts xSocialMedia's business as well. Future law firms may be less inclined to work with a company that experienced such a widespread breach. Additionally, if a rival marketing company has access to xSocialMedia's metrics, they can use that for their own gain.
How We Discovered the Breach
vpnMentor's research team found the breach through a web-mapping project. Headed by Ran and Noam, the team scans ports looking for familiar IP blocks. They use these blocks to find holes in a company's web system. Once these holes are found, the team looks for vulnerabilities that would lead them to a data breach.
Using their expertise, they examine the database to confirm its identity.
Once we've found the leak, we contact the company to alert them to the data breach. When possible, we also notify those affected by the leak. We do this to make the internet safer for all users.
Advice from the Experts
This data leak could have easily been avoided. Companies can take several basic security measures to prevent or patch a data leak by using the following tips:
- Secure your servers.
- Implement proper access rules.
- Never leave a system that doesn’t require authentication open to the internet.
For a more in-depth guide on how to protect your business, check out how to secure your website and online database from hackers.
About Us and Previous Reports
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
We recently discovered a huge data breach impacting 80 million US households. We also revealed that Gearbest experienced a massive data breach. You may also want to read our VPN Leak Report and Data Privacy Stats Report.