Cybersecurity researcher Jeremiah Fowler uncovered an unprotected database belonging to Care1, a Canadian provider of AI-driven software solutions for optometrists.

The database, totaling 2.2 TB and containing over 4.8 million records, exposed sensitive patient data, including names, addresses, medical histories, and unique Personal Health Numbers (PHNs). Among the exposed files were detailed eye exam reports in PDF format, as well as spreadsheets listing patient PII, doctor’s comments, and images from medical exams. This breach highlights significant vulnerabilities in how sensitive healthcare data is managed and protected.

Care1, which partners with over 170 optometrists and manages more than 150,000 patient visits annually, specializes in leveraging AI to modernize eyecare. It remains unclear whether the database was directly managed by Care1 or a third-party contractor, how long the data remained exposed, or if unauthorized access occurred. Following responsible disclosure by Fowler via vpnMentor, public access to the database was promptly restricted. However, this incident underscores the risks inherent in handling healthcare data digitally, as PHNs—while not directly exploitable for financial fraud—can help criminals build comprehensive profiles for identity theft and other malicious purposes.

The breach underscores the urgent need for stronger cybersecurity measures in the healthcare sector. Companies like Care1 must adopt robust practices, including data encryption, access controls, and regular security audits, to prevent such exposures. This incident follows a similar 2023 breach involving Redcliffe Labs in India, where over 12 million patient records were left unsecured. With increasing reliance on digital systems, healthcare providers must prioritize the protection of sensitive patient data to maintain trust and prevent significant privacy risks.