Telemarketing company, HealthNow, suffers massive data breach
A recently discovered database of information has left one company suffering the effects of a data breach, and nearly one million senior citizens questioning where their sensitive identifying information may have ended up. HealthNow, a telemarketing company that tracks its customers and offers them medical supplies, lost control of a database containing names, birthdates, Social Security numbers, health insurance numbers, medical histories, and more, for over 918,000 people.
Shodan search engine
As if telemarketers weren’t annoying enough, in this case, the database of complete PII was uploaded to the internet by a contracted software developer who failed to encrypt the information or password protect it. A random user found the database while using the Shodan search engine to locate and log connected devices. When he realized what he’d stumbled upon, he reported the issue to DataBreach.net, who in turn contacted HealthNow. The database has since been removed, but there’s no information about how long it was available or how many people may have already accessed it.
Everything about the issue falls into the “sleazy” category. Why did a marketing company have access to Social Security numbers and medical histories? Why did they hire a software developer who would upload this type of content without full security protocols in place? In an even more disappointing twist, HealthNow does not answer to US privacy regulations that pertain to medical facilities, hospitals, and doctors’ offices. As a retail marketing firm rather than a medical care provider, HIPAA laws don’t apply, meaning the company won’t face anywhere near the fines and penalties they should be subjected to. They are no more culpable in this case than a hardware store whose computers were hacked, despite the level of sensitivity to the information they gathered, stored, and inadvertently shared.
Privacy experts have warned for some time that the public has to be more proactive about guarding their information, starting with refusing to hand it over blindly to anyone who asks for it. This is akin to a grocer asking for your private details, yet due to the medical nature of the company, patients felt secure submitting their complete identities.