- A violation has impacted thousands of patients with Carolina anesthesiology
- Confidential health information and patient data were exposed
- This leaves anyone affected at risk of identity theft or social engineering
Security researcher Jeremiah Fowler has discovered a non -protected password database, which is believed to be owned by Carolina Anesthesiology PA, a health firm based in North Carolina. This data set contained 21,344 records, it was almost 7 GB and covered multiple states.
The information contained confidential data, including patient information, such as names, physical addresses, telephone numbers and email addresses, as well as insurance coverage details, anesthesia summaries, diagnoses, family medical history and medical notes. According to the researcher, there were files marked ‘Billing and compliance reports’, which gives an idea of the type of data included.
While until now there is no evidence to suggest that the database fell into malicious hands, the potential commitment of the unprotected database could put many at risk of social engineering attacks such as phishing, identity theft or fraud.
Database in the program
The researcher describes that the data set contained a “detailed analysis and key metric related to medical billing and medical care services provided”, but that, when it was contacted, the health firm indicated that it did not possess or managed the database, but that the owner has been notified and restricted public access.
It is not clear if the information was accessed by a threat actor or a third party, since only an internal audit would show this, and as far as we know, the information has not appeared on any dark website for sale by cybercriminals. The investigation by the researcher indicates that the content of this folder was probably affiliated with Atrium Health, a partner of Carolina Anesthesiology Pa.
“Our cyber security team immediately launched an internal investigation by receiving an email council in mid -February 2025 on a possible data violation. Our research found that Carolina Anesthesiology, PA, who regularly provides anesthesia services in selected facilities, poorly configured the technological service used to bill data, exposing some of his patient data, “said Atrium Health in response to rape.
“Immediately we close all the data food to the anesthesiology of Carolina and, as courtesy, we notify the regular government entities. We continue to learn more from the Carolina anesthesiology team about their plan to notify their patients about this violation. All data foods remain outside until this problem has been satisfactorily addressed.”
