Online media advertising agency exposes patients’ medical info

December 17, 2019
xsocialmedia advertising agency compromised data 3rd party risk assessment

A renowned online advertising agency which specializes in helping law firms sign up potential clients has exposed close to 150,000 records from a database that were left unsecured.


The historical databank contained submissions as part of a lead-generation effort by X Social Media, a Florida-based advertising company that largely uses Facebook to advertise various campaigns for its law firm customers.


In general, law firms pay the advertising company to set up individual webpages or websites that aims to sign up victims from specific classifications of injury or harm – the case varies from medical implants, medical malpractice, sexual abuse victims and more — who submit their sensitive personal details in the hope of receiving legal counsel.


Unfortunately for them, the database was left vulnerable and without a password – therefore giving access to anyone to look inside. Which in this case were, malicious threat actors.


Cyber security analysts discovered the exposed database and reported it to the company immediately, which pulled the database offline right away.


The database was comprised of patient names, addresses, phone numbers, the date and time of a person’s submission and the circumstances and explanation of their accident, injury or illness. Most of the time, this includes personal health information, sensitive medical information, details of procedures or the consumption of certain medications or specifics of traumatic events.


Several records seen also include records from campaigns targeting combat veterans who were injured on duty. Other campaigns sought to sign up those who suffered illnesses from pesticides or medications.


Other campaigns included soliciting claims for sexual abuse. There were several names, postal and email addresses and phone numbers of victims, many of which also described their sexual abuse as part of filling out the website form.


The leaked records also contained a list of more than 300 law firms who paid the advertising agency to set up the lead-generation operation. It also contained records of how much each law firm paid the ad company — in several cases, amounting to tens of thousands of dollars. The records also contained the banking information and account numbers of the advertising company, which law firms used to pay the company for its lead-gen services.


To add an even more disturbing discovery – another redacted record from the leak exposed details of chronic pain after surgery to implant a hernia mesh. According to the security researchers, simply using the information exposed in the leaked records – specifically, the person’s IP address – its researchers could “easily” find the person’s social media accounts, social security, banking info and physical location.

About the author

Leave a Reply