Over 1.6 million clinical research records containing personally identifiable information (PII) and sensitive patient medical data have been exposed in a massive data breach.
Security researcher Jeremiah Fowler uncovered an unprotected database linked to DM Clinical Research, a Texas-based clinical trial network.
The Breach: What Happened?
The exposed database, which contained 1,674,218 records totaling 2TB in size, was found to be publicly accessible without password protection or encryption. The documents, primarily in PDF format, included survey responses and personal medical details of patients participating in clinical trials. Each file was named after the individual it belonged to, further exacerbating privacy concerns.
What Kind of Data Was Leaked?
The exposed records contained a wide array of sensitive information, including:
- Full names
- Dates of birth
- Phone numbers and email addresses
- Vaccination statuses (including details of vaccines received)
- Current medications and medical conditions
- Adverse reactions to COVID-19 vaccines
- Pregnancy and birth control status
- Doctor’s names and survey conductors’ details
DM Clinical Research’s Response
Upon discovering the breach, Fowler promptly notified DM Clinical Research. Within hours, the exposed database was taken offline. The company acknowledged the issue, stating they were investigating the findings and committed to resolving vulnerabilities.
However, it remains unclear how long the database was publicly accessible, whether unauthorized parties accessed it, or whether the breach was the result of internal oversight or a third-party data management provider.
