Seniors provided their personal financial and health information to a program promising them discounts on diabetes supplies.
Seniors provided their personal financial and health information to a program promising them discounts on diabetes supplies.

A database containing personal information of 918,000 seniors seeking discounts on diabetes supplies was revealed to be exposing its contents for months freely online.

The seniors provided their personal financial and health information to a program promising them discounts on diabetes supplies. But, according to a report on Naked Security, a Sophos blog, the database on which the information was stored ended up exposed for months after a software developer in the employ of a telemarketing firm uploaded a backup copy to the internet.

The database was found by a Twitter user, calling himself Flash Gordon, on an Amazon Web Services (AWS) instance at an IP address. He is said to have used Shodan, a search engine for connected devices that "crawls the internet, connecting to likely services, logging what comes back, and creating a searchable index of the results," according to the blog post.

Flash Gordon notified DataBreaches.net – a data security site run by a health care professional – about his discovery. At that point, DataBreaches.net reached out to security researchers for help. They found that the database was not from an entity liable under HIPAA laws, such as a health care provider. Rather, they discerned it was from a telemarketer as the data included scripted comments to use when engaging with patients.

The database included names, addresses, dates of birth, telephone numbers, email addresses, taxpayer IDs, health insurance carrier, policy numbers, and information about what types of health problems the individuals had.

The database has since been taken down.

The Sophos researchers advised that when called by a telemarketer offering great deals on diabetes supplies, be wary of providing personal information as there's no way to know whether the caller is legitimate. Additionally, any information a caller provides might get duplicated for use in other telemarketing campaigns.