US Military Veterans’ Medical Data Exposed Online

Nearly 200K Medical Records of US Military Veterans Leaked

Last updated on May 25, 2021

Secure Thoughts partnered with Security Expert Jeremiah Fowler to expose highly sensitive medical records related to US military veterans. Here are his findings: 

On April 18th 2021 I discovered a non-password protected database that contained what appeared to be medical information related to military veterans. There were just under 200,000 records publicly exposed. Upon further investigation of the data there were many references to a Jacksonville, North Carolina based company called United Valor Solutions. The records contained patient, physician, employee data and other potentially sensitive information that should have not been publicly exposed.

According to their website: United Valor Solutions provides disability evaluation services for the Veterans Administration and other federal and state agencies.

I immediately sent a responsible disclosure notice of my findings to key contacts whose emails were contained in the database. Public access was restricted within hours and United Valor acted fast to secure the exposed records.

On April 19th I received the following reply: “Thank you for bringing this to our attention. We communicated your findings to our contractors and they shut down this public data access immediately. According to their monitoring, the data has only been accessed via our internal IP and yours”.

The dataset also contained a Ransomware message titled “read_me” that claimed all of the records were downloaded and they would be leaked unless 0.15 Bitcoin ($8,148 USD) was paid. The forensic audit or IP review of outside access conducted by the Contractor should have also identified the Ransomware intrusion and the multiple IoT search engine spiders that indexed the exposed database. This appears to contradict what the Contractors told United Valor.   

What the database contained:

  • Total Records: 189,460
  • Veteran / Patient Info: name, date of birth, sex, reason for doctor visit, medical record number, some accounts contained email and phone numbers. doctor information and appointment location.
  • Names and email addresses of internal users that could be targeted in a phishing attack or other social engineering scams that could have potentially affected Veterans, Employees, or Doctors.
  • Admin and user information with hashed and non-hashed passwords. Internal users with @unitedvalorusa email accounts exposed passwords that appeared to be complex but non-encrypted. External user accounts with gmail, yahoo, and other email providers were hashed.
  • Evidence of Ransomware that claims the data was downloaded.
  • Billing, invoicing, and outstanding balance totals.
  • The database was set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.

US Military Veterans Data Leak - Evidence of Ransomware

Medical Data Exposed - Military Veterans

US Military Veterans’ Medical Data Exposed

The records contained appointment and other data for Veterans from all over the United States. Inside the database were files that included what could be considered personally identifiable information (PII) and some accounts had medical information or notes about the user. These reasons for visit had a wide range of descriptions such as “ROUTINE PHYSICAL/COMPARISON VIEWS-BACK PAIN”.

The MRN or medical record number is used as a systematic documentation of a patient’s medical history. In a targeted phishing campaign cyber criminals could hypothetically reference this confidential record number to gain trust and then ask the victim to update their payment information, credit card number, or commit other kinds of fraud.

I am not implying any wrongdoing by United Valor Solutions or their partners, contractors, or affiliates. They acted fast and professionally to secure the exposed data. As a Security Researcher I never download or extract the records I find and only take a small number of screenshots for validation purposes and redact any sensitive information. My goal is to educate and raise awareness of cyber security issues and help protect the affected individuals and data I discover.

It is unclear if this incident was reported to the affected individuals, Veterans agencies, or the authorities as required by HIPPA and North Carolina breach and notification laws. It is also unknown how long this data was publicly accessible or the full scope of who else may have accessed the records. Only a detailed forensic audit would reveal the full scope of the exposure.

In the ever-changing world of cyber security there are few types of records that are as sensitive as medical data. Medical records are among the most valuable types of data. It has been reported that medical records can sell for as much as $250 per record on the black market, while credit cards sold for only $5.40 per record. Any data exposure can potentially put users or customers at risk, but health and medical records are among the highest threats.

The Dangers of Outsourcing Sensitive Data

It is important for any organization that stores or collects medical or other highly sensitive data to maintain control of their information. This includes data security, upgrades or patch management, and other changes needed to meet standard data security requirements. This control is even more important when it comes to nonpublic personal information (medical, social security numbers, credit card data, etc.).

Outsourcing can save money but it has very real risks. By farming out your IT infrastructure it leaves a patchwork of cybersecurity standards. Low cost development and IT companies can be based outside the US or EU where there are strict privacy laws and data security regulations. Outsourcing to contractors in locations without strong data protection laws creates additional risks and they often face no accountability for a critical data breach.

Data Leak US Military Veterans