“Deeply personal medical” records exposed online

xSocialMedia – a Facebook marketing agency that runs campaigns for medical malpractice lawsuits – has leaked the medical and other data that about 150,000 people entered into online forms to check whether they’re eligible for legal assistance.

The breach was discovered by vpnMentor‘s research team. The company, which tests virtual private networks (VPNs), said in a post that cybersecurity researchers Noam Rotem and Ran Locar discovered the vulnerabilities in multiple databases operated by xSocialMedia.

They found a lot more besides the 150,000 personal records, some of which belonged to US veterans. They also found what they called “deeply personal medical testimonies”; contact information including names, addresses, and phone numbers; and people’s medical histories. They were also able to access a list of xSocialMedia’s invoices, customer data, and exact numbers from their advertising campaigns for injury-check.com.

xSocialMedia, which says it creates Facebook ad campaigns for 230+ clients, posts those ads to a variety of injury-check.com domains, depending on specific ailments. Examples include https://ied-fund.injury-check.com, for wounded servicemen and women who’ve been injured in improvised explosive device (IED) attacks, and https://ivcfilter-risk.injury-check.com, for people who’ve been injured by an inferior vena cava filter (a type of vascular filter implanted so as to prevent life-threatening pulmonary emboli).

In fact, xSocialMedia works with 10 different kinds of injury lawyers that specialize in lawsuits regarding medical injury from hernia mesh, 3M earplugs, sexual abuse, pesticides, auto accidents, and more.

After Facebook users enter one of the injury-check.com domains, they’re encouraged to fill out a form with their medical data to see if they qualify for legal assistance. vpnMentor found it could access 150,000 responses to those forms, where it found:

  • First and last name
  • Email address
  • Street address
  • Phone number
  • IP address
  • Circumstances of the injury
  • Explanation about the injury

Details of injuries leaked

vpnMentor published a redacted form of one of xSocialMedia’s “leads”: it was from a US veteran who described their combat injuries, including a below-knee amputation following an IED blast. As vpnMentor notes, this is highly sensitive information:

Employers, for example, may not know an employee is suffering from PTSD.

Another redacted record showed details of chronic pain after surgery to implant a hernia mesh. vpnMentor said that using the information exposed in xSocialMedia’s database(s) – specifically, the person’s IP address – its researchers could “easily” find the person’s social media accounts and location.

In another case of breached medical details, a veteran describes hearing loss after using military-issue hearing aids: a condition that the veteran may not wish to disclose to everyone, including, for example, to employers.

xSocialMedia leaked its own data, too

Besides leaking personal medical histories of its leads, xSocialMedia also leaked its own bank account information in invoice records the firm sent to clients. vpnMentor researchers found they could see clients’ names, addresses, phone numbers, email addresses, and the specific amount each company is paying xSocialMedia.

vpnMentor saw exposed data for more than 300 clients that are collecting data in order to build lawsuits, including data that companies don’t typically disclose. It could also easily see results per website campaign, plus how much the clients are paying for each campaign.

We can view the code for their website forms, as well as metrics for their Facebook ads. Most companies don’t disclose specific metrics per campaign.

The breach’s impact

As vpnMentor points out, this breach never should have happened, given how sensitive this data is. In the US, medical records and patient privacy are strongly protected by Health Insurance Portability and Accountability Act (HIPAA) laws that forbid disclosure of patients’ identifying information without written permission.

Healthcare providers cannot even confirm a patient to an outside party without a release. Patients may worry that if their workplace, for example, had open access to their medical records, it could be used against them. The only data allowed to be released outside of designated channels is data that does not have any identifying information attached.

And yet there were xSocialMedia’s collection of personal medical records, unprotected and paired with identifying data.

The people who filled out the forms linked in xSocialMedia’s ads were already suffering from medical problems that caused enough pain and trauma that they were looking for legal help. Discovering that their data was leaked without permission could easily add to their trauma.

vpnMentor notes that xSocialMedia might not be subject to HIPAA compliance because patients are free to disclose their health information to the parties of their choice – in this case, by inputting it into a form on one of the advertising firm’s sites. But it’s hardly likely that they would have done so if they’d known that their personal medical histories would be publicly exposed, along with data that could easily link their identities to those records.

The holes have been closed

vpnMentor says it discovered the leak on 2 June. xSocialMedia responded on 11 June and closed the database up on the same day.