A security researcher claims to have discovered a large volume of data inadvertently leaked online by a subcontractor that provides healthcare services and professionals to the United States government.
Potomac Healthcare Solutions provides services to the U.S. Army, the Navy, the Marine Corps, the Air Force, the Army Corps of Engineers, Immigration and Customs Enforcement (ICE) and several other organizations in the public sector. In 2013, after teaming up with Booz Allen Hamilton, Potomac obtained a contract with the U.S. Military’s Special Operations Command (SOCOM).
MacKeeper researcher Chris Vickery discovered that an unprotected remote synchronization (rsync) service linked to a Potomac IP address had been exposing more than 11 Gb of files.
An analysis of the files revealed that they stored various types of information, including the names, email addresses, phone numbers, dates of birth, contract information, work locations, and social security numbers (SSNs) of healthcare professionals working at Potomac facilities and U.S. military installations.
Vickery said the exposed data also included a file containing usernames and passwords for various services, and the names and locations of at least two Special Forces data analysts with top secret clearance.
The expert notified Potomac executives of his findings via phone and email, but he said they did not appear to take him seriously. The leaky file repository was taken offline after the researcher called one of his U.S. government contacts.
“It’s not hard to imagine a Hollywood plotline in which a situation like this results in someone being kidnapped or blackmailed for information,” Vickery said in a blog post. “Let’s hope that I was the only outsider to come across this gem. Let’s really hope that no hostile entities found it. Loose backups sink ships.”
Contacted by SecurityWeek, Potomac Healthcare Solutions provided the following statement:
“We are aware of the report from an independent security researcher alleging an unauthorized exposure of sensitive government information. Upon learning of the allegation, we immediately initiated an internal review and brought in an external forensic IT firm for additional support.
While our investigation remains ongoing, based on our initial examination, despite these earlier reports, we have no indication that any sensitive government information was compromised. The privacy and security of information remains a top priority, and we will continue to work diligently to address any issues or concerns.”
Booz Allen Hamilton stated the following: “We take any allegation of a data breach very seriously, including those from our subcontractors. We are looking into this alleged event.”
*Updated with statement from Booz Allen Hamilton
Related Reading: Topps Customer Data Exposed After Website Hack
Related Reading:NSA Contractor Arrested for Theft of Classified Material