Personal data belonging to health care professionals working for the U.S. military was sitting exposed on an insecure server operated by a medical services subcontractor, a security researcher from MacKeeper reported on Saturday.
According to Chris Vickery, security researcher at MacKeeper, the server is operated by Potomac Healthcare Solutions, which provides its services through management consulting firm Booz Allen Hamilton. In a blog post, Vickery wrote that the server revealed the names, work locations, Social Security numbers, salaries and assigned units of military health care personnel deployed within the United States Special Operations Command (SOCOM).
Vickery told ZDNet in an interview that the leaked information dates back to 1998 and also includes the contract types and duty start dates of various military doctors, nurses and psychologists, as well as the living quarters they use when not on active duty.
Additionally, Vickery found the names and locations of at least two special-forces data analysts with top-secret government clearance. The researcher reported that the server insecurely employed rsync, a utility program that allows users to perform file synchronization and transfers between two different systems, and that the 11 gigabytes of data residing on the server was not protected by a single password. After reaching out to Potomac Healthcare Solutions and additional military contacts, the subcontractor took the server offline, Vickery continued.
Asked for comment, Potomac Healthcare Solutions sent the following statement to SC Media: "We are aware of the report from an independent security researcher alleging an unauthorized exposure of sensitive government information. Upon learning of the allegation, we immediately initiated an internal review and brought in an external forensic IT firm for additional support. While our investigation remains ongoing, based on our initial examination, despite these earlier reports, we have no indication that any sensitive government information was compromised. The privacy and security of information remains a top priority, and we will continue to work diligently to address any issues or concerns."
Contractor Booz Allen Hamilton also provided a statement: "We take any allegation of a data breach very seriously, including those from our subcontractors. We are looking into this alleged event,” the company commented.
UPDATE: Potomac HealthCare Solutions provided the following updated statement on Jan. 5, 2017: "...Potomac Healthcare Solutions, with support from an external forensic IT firm, has completed its investigation of a security incident involving the unauthorized access of one of our internal servers. Despite earlier media reports, our review, which was immediately initiated after the initial questions were raised, has confirmed that the impacted server did not contain any classified government information or protected medical or personal data related to active duty military personnel or their families. However, the affected server did contain files with data of a limited number of current and former Potomac employees' personal information. While we have no evidence to suggest that any employee information has been used inappropriately, Potomac is in the process of proactively reaching out to impacted employees to provide guidance on how they can protect themselves and is offering complimentary credit monitoring and identity theft protection services to affected individuals..."