- A violation had an impact on thousands of patients with anesthesiology from Caroline
- Sensitive health information and patient data has been exposed
- This leaves anyone assigned to risk theft of identity or social engineering
Security researcher Jeremiah Fowler discovered a password database, which belonged to Carolina Anesthesiology PA – a health care company based in North Carolina. This data set contained 21,344 recordings, was almost 7 GB and lasted several states.
Information contained sensitive data, including information on patients such as names, physical addresses, telephone numbers and email addresses, as well as insurance coverage, anesthesia summaries, diagnostics, family’s medical history and doctors’ notes. According to the researcher, files have been marked “billing and conformity reports”, which gives an idea of the type of data included.
Although there has so far been no evidence suggesting that the database has fallen into malicious hands, the potential compromise of the unprotected database could put a lot of risk of social engineering attacks such as phishing, identity theft or fraud.
Database exposed
The researcher describes that the data set contained a “detailed analysis and key measures related to medical invoicing and the health services provided” – but that, when contacted, the health company said that it did not have or managed the database, but that the owner was informed and restricted public access.
It is not clear if the information has been accessible by an actor or a third party, because only an internal audit would show it – and to our knowledge, the information has not appeared on dark websites to sell by cybercriminals. The researcher’s survey indicates that the content of this file was probably affiliated with Atrium Health – a partner of Carolina Anesthesiology PA.
“Our cybersecurity team immediately launched an internal investigation upon receipt of an e-mail council in mid-February 2025 on a possible data violation. Our survey revealed that Carolina Anesthesiology, Pennsylvania, which regularly provides anesthesia services in certain installations, has poorly configured the technological service used for data billing, exhibiting some of their patient data, “said Atrium Health in response to violation.
“We immediately closed all the data flows to the anesthesiology of Caroline and, out of courtesy, we informed the regular management entities. We continue to find out more about the Caroline anesthesiology team on their plan to inform their patients of this violation. All data foods remain outside this problem.
