A massive data breach has come to light involving Care1, a Canadian medical technology company specializing in AI-driven software for optometry practices.
The exposed database, left unprotected and unencrypted, contained over 4.8 million documents, amounting to 2.2 TB of highly sensitive data.
What Was Exposed?
A limited review of the database revealed documents including PDFs of eye exams with personally identifiable information (PII), doctor’s notes, and examination images. Also exposed were spreadsheets (.csv and .xls) listing patients’ names, home addresses, Personal Health Numbers (PHNs), and other sensitive health details.
The database was named in a way that suggested it belonged to Care1, a firm that collaborates with over 170 partner optometrists and boasts of managing more than 150,000 patient visits through its software. Despite the breach, it remains unclear whether the database was directly managed by Care1 or outsourced to a third-party contractor.
Upon discovery, the researcher behind the report sent a responsible disclosure notice to Care1. Public access to the database was swiftly restricted the following day. In response, a Care1 administrator thanked the researcher, stating that their team was “currently working on resolving this issue.” However, the duration of the exposure and whether any unauthorized parties accessed the data remain unknown. Only a thorough internal forensic audit could confirm the extent of any potential damage.
