- A breach has impacted thousands of Carolina Anesthesiology PA patients
- Sensitive health information and patient data was exposed
- This leaves anyone affected at risk of identity theft or social engineering
Security researcher Jeremiah Fowler has discovered a non password-protected database, believed to be owned by Carolina Anesthesiology PA – a healthcare firm based out of North Carolina. This dataset contained 21,344 records, was almost 7GB, and spanned multiple states.
The information contained sensitive data, including patient information like names, physical addresses, phone numbers, and email addresses, as well as insurance coverage details, anesthesia summaries, diagnoses, family medical histories, and doctors notes. According to the researcher, there were files marked ‘Billing and Compliance Reports’, which gives an idea of the type of data included.
While there is so far no evidence to suggest the database fell into malicious hands, the potential compromise of the unprotected database could put many at risk of social engineering attacks like phishing, identity theft, or fraud.
Database on show
The researcher outlines that the dataset contained a “detailed analysis and key metrics related to medical billing and healthcare services provided” – but that, when contacted, the healthcare firm indicated that it did not own or manage the database, but that the owner has been notified and public access restricted.
It’s not clear if the information was accessed by a threat actor or third party, as only an internal audit would show this – and as far as we know, the information has not appeared on any dark web sites for sale by cybercriminals. Investigation by the researcher indicate that this folder’s contents was likely affiliated with Atrium Health – a partner of Carolina Anesthesiology PA.
“Our cyber security team immediately launched an internal investigation upon receiving an email tip in mid-February 2025 about a possible data breach. Our investigation found that Carolina Anesthesiology, P.A., who regularly provides anesthesia services at select facilities, misconfigured the technology service used for billing data, exposing some of their patient data,” said Atrium Health in response to the breach.
“We immediately shut down all data feeds to Carolina Anesthesiology and, as a courtesy, notified the regular governing entities. We continue to learn more from the Carolina Anesthesiology team about their plan to notify their patients of this breach. All data feeds remain off until this issue has been satisfactorily addressed.”
Leave a comment