Security Experts:

Government Subcontractor Leaks Military Healthcare Worker Data

A security researcher claims to have discovered a large volume of data inadvertently leaked online by a subcontractor that provides healthcare services and professionals to the United States government.

Potomac Healthcare Solutions provides services to the U.S. Army, the Navy, the Marine Corps, the Air Force, the Army Corps of Engineers, Immigration and Customs Enforcement (ICE) and several other organizations in the public sector. In 2013, after teaming up with Booz Allen Hamilton, Potomac obtained a contract with the U.S. Military’s Special Operations Command (SOCOM).

MacKeeper researcher Chris Vickery discovered that an unprotected remote synchronization (rsync) service linked to a Potomac IP address had been exposing more than 11 Gb of files.

An analysis of the files revealed that they stored various types of information, including the names, email addresses, phone numbers, dates of birth, contract information, work locations, and social security numbers (SSNs) of healthcare professionals working at Potomac facilities and U.S. military installations.

Vickery said the exposed data also included a file containing usernames and passwords for various services, and the names and locations of at least two Special Forces data analysts with top secret clearance.

The expert notified Potomac executives of his findings via phone and email, but he said they did not appear to take him seriously. The leaky file repository was taken offline after the researcher called one of his U.S. government contacts.

“It’s not hard to imagine a Hollywood plotline in which a situation like this results in someone being kidnapped or blackmailed for information,” Vickery said in a blog post. “Let’s hope that I was the only outsider to come across this gem. Let’s really hope that no hostile entities found it. Loose backups sink ships.”

Contacted by SecurityWeek, Potomac Healthcare Solutions provided the following statement:

“We are aware of the report from an independent security researcher alleging an unauthorized exposure of sensitive government information. Upon learning of the allegation, we immediately initiated an internal review and brought in an external forensic IT firm for additional support. 

While our investigation remains ongoing, based on our initial examination, despite these earlier reports, we have no indication that any sensitive government information was compromised. The privacy and security of information remains a top priority, and we will continue to work diligently to address any issues or concerns.”

Booz Allen Hamilton stated the following: “We take any allegation of a data breach very seriously, including those from our subcontractors. We are looking into this alleged event.”

UPDATE 01.05.2017 - Potomac Healthcare Solutions has provided the following statement after completing its investigation into this incident:

As a follow-up to the initial communication on this issue, Potomac Healthcare Solutions, with support from an external forensic IT firm, has completed its investigation of a security incident involving the unauthorized access of one of our internal servers.

Despite earlier media reports, our review, which was immediately initiated after the initial questions were raised, has confirmed that the impacted server did not contain any classified government information or protected medical or personal data related to active duty military personnel or their families. However, the affected server did contain files with data of a limited number of current and former Potomac employees’ personal information.

While we have no evidence to suggest that any employee information has been used inappropriately, Potomac is in the process of proactively reaching out to impacted employees to provide guidance on how they can protect themselves and is offering complimentary credit monitoring and identity theft protection services to affected individuals. The privacy and security of personal information is a top priority, and we are committed to taking steps to prevent this type of incident from occurring again in the future.

Related Reading: Topps Customer Data Exposed After Website Hack

Related Reading: Required Insider Threat Program for Federal Contractors: Will It Help?

Related Reading: NSA Contractor Arrested for Theft of Classified Material

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.