We recently discovered an unsecured database that appears to belong to one of the largest charities in New York. The unsecured database contained more than 2,000 CSV and TXT files, each with hundreds or thousands of entries related to patients’ medical records, children’s legal guardians, case workers, doctors, and other child welfare specialists.

Some documents even contained social security numbers.

The files were stored on an unsecured Microsoft Azure Blob that was publicly accessible, meaning that anyone with the URL was able to download the data.

Many of the email and physical addresses within the database point to the New York Foundling organization, which provides many services related to child protection, foster care and adoption, disabilities services, and more.

We first reached out to the New York Foundling organization on March 1, but received no response after multiple attempts. We then contacted Azure to have the database secured, and it was removed from public access on March 17.

The New York Foundling organization has not confirmed that the database is theirs.

To see if any of your online accounts were exposed in this or other security breaches, use our personal data leak checker with a library of 15+ billion breached accounts.

What data was in the database

Inside the Azure blob, we discovered 104 CSV and 2131 TXT files. 

These files contained hundreds or thousands of entries, including:

  • At least 13,000 entries on vaccines, including administration date, vaccine type, dosage, product, and expiration
  • Diagnostic tests, including:
    • Patient IDs
    • Test code, ID and name
    • Dates
  • Patient referral, including:
    • Patient number
    • Referring doctor and address
    • Referral reasons
    • Data of what appears to be the receiving doctor
  • Contact information for the patients or their legal guardians
  • Employee information (without column headers) that appear to include:
    • Staff names
    • Employee or other IDs
    • Branches or cooperating offices (such as Child Welfare Services)
  • Chart notes with descriptions and patient IDs
  • 7,000 entries for patients, including:
    • Patient names and birthdates
    • Parent/guardian names and phone numbers
    • The relationship (such as foster or biological parent, or case worker)
    • Addresses
    • Referral notes
    • Insurer IDs
  • BP and height records for patients aged 1-17
  • A headerless TXT file containing SSNs and what appears to be IDs, but without names or other identifying information

The last modified date for these files is July 16, 2020. 

The data in these files was separated so that patient names, birthdates and other personal information is separated from the medical records. However, they are connected by their patient IDs. 

For example, patient IDs were listed in the chart notes CSV document. This file included a diagnosis or summary of the issue, as well as abiding notes. Some of the notes contained relevant information about the child’s family situation, and some notes included the child’s name. 

The same patient IDs were included in the patients CSV document, along with the patients’ names. All instances in which the children were named in the chart notes matched with their contact information in the patient file.

Additionally, since the chart notes file contained multiple entries for the same patient, it was likely possible to piece together the patient’s medical history as contained within this document. 

This information, in totality, was particularly sensitive. Many of the email and physical addresses were connected to the New York Foundling organization.

Who owns the database?

The database appears to belong to the New York Foundling group, a 501(c)3 charity organization and one of New York City’s oldest and largest child welfare agencies. According to its website, the organization has been in operation since 1869 with programs in the five boroughs, Rockland County and Puerto Rico.

The organization currently runs several different programs across its locations:

  • Foster care and adoption, with the NYC Administration for Children’s Services referring children to the NY Foundling for placement and other support services
  • Child protection
  • A charter school aimed at kids in the child welfare system
  • Juvenile justice programs
  • Deaf services
  • Developmental disabilities programs
  • A head start program in Puerto, which aims to help children and families in impoverished areas improve their social and educational situations

We reached out to NY Foundling, not only to confirm if the database belongs to them and to help secure it, but also to provide further cybersecurity assistance if needed. However, they did not respond to our requests.

Impact

The impact here is pretty clear: medical information is protected by HIPAA and other privacy laws in the US, especially so for children. Beyond that protected group, sensitive data about foster parents, child protection workers, medical staff and organization staff was also left unsecured.

HIPAA laws consider medical data as protected health information, and there are very strict rules in how this data is created, collected, transmitted, or maintained. This medical data is only considered personal health information if the patients can be identified. If all personal identifiers are stripped from this medical data, it no longer qualifies as personal health information.

In this database, the medical data was in fact separated from the personal identifiers in any given document. However, it seemed straightforward enough to reintegrate the personal data and the medical data.

Beyond whether it was a HIPAA violation or not, it still was sensitive data that could negatively impact these patients. Even if it were a HIPAA violation, it doesn’t allow for the private right to action. This means that individuals can’t sue the organization, and it is up to attorney generals to bring suit.

Besides HIPAA, there are also a myriad of state privacy and confidentiality laws that such an unsecured database may be in violation of.

In any case, cybercriminals may use the data for their own malicious purposes. While many bad actors claim to stay away from attacking hospitals or charities – and some “Robin Hood” criminals even stealing money and donating it to charity – the reality is not so rosy. For example, a November 2020 report showed that at least one-third of all charities in the UK had suffered a cyberattack during the pandemic, while another report from the Charity Commission confirmed that more than 100 UK charities had fallen victim to a ransomware attack.

With the data contained within this database, a bad actor may be able to:

  • Target the children or their foster parents or care workers with spear phishing campaigns using only the data in the Patients or Contacts documents
  • Target staff of the charity with phishing campaigns in order to get into the organization’s systems
  • Create fraudulent identities
  • File fraudulent insurance claims
  • Exploit or extort the patients or their legal guardians
  • Collect, collate and sell this medical data on to other bad actors

Here’s what to do next

It is unclear whether any bad actors were able to access the data, or how long the data was left out in the open. 

If your data has been included in the data leak, or you believe your data has, there are a few important steps you need to follow:

  • Check if your data has been leaked in this or other breaches by using a service like CyberNews’ personal data leak checker, which currently has more than 15 billion records
  • Watch out for suspicious emails, as they may be phishing attempts. Avoid clicking on links from suspicious emails
  • Watch out for suspicious activity on your financial accounts, and set up identity theft monitoring