CloudDefense.AI exposes security flaw in breast pump company's data storage, leaving millions of documents at risk

Barbara Ericson
28 Mar

A breast pump manufacturer has left over 7 million documents exposed, raising concerns about data safety in women's healthcare. The California-based medical company, whose name has not been disclosed, has been storing millions of documents on an exposed server that includes the names, email addresses, and phone numbers of doctors across the United States.

The server, which was discovered by Anurag Sen, a cloud security researcher with CloudDefense.AI, is run by Amazon's cloud computing service and contains approximately 7,151,537 documents in total. The documents are divided between two separate databases and hold the full names, business addresses, fax numbers, and phone numbers of those in the medical profession. National Provider Identifier (NPI) numbers, unique 10-digit identifiers issued to healthcare providers in the U.S., are also present.

The security issue appears to have been caused by a configuration error that left the server exposed without password protection. Although much of the information could be found publicly, it remains unlikely that those listed are aware that their information is centrally available in a database of that size. A timestamp on one of the listings notes that it was made in July 2020.

Despite being informed of the security lapse, the company did not respond. The Daily Dot reached out over a contact form on its website and at a customer service email last week but did not receive a reply either. After reaching a customer service representative over the phone, the Daily Dot was told to once again send an email to the company that would then be forwarded to the appropriate party. However, no contact was ever made.

Dissent Doe, a pseudonymous blogger who chronicles such data exposures on, speculated that the data could either be a customer list or marketing list. While the exposure of the data may not be inherently dangerous, the failure to implement basic security measures by a healthcare company marketed toward women is troubling. Companies that handle data relating to women's healthcare and pregnancy have come under increased scrutiny over the past year, following the overturning of Roe v. Wade, as fears grow that states that are outlawing abortion could use sensitive data to help prosecute abortion seekers.

This incident highlights the importance of companies implementing proper data protection measures, especially when dealing with sensitive information in the healthcare industry. It also emphasizes the need for individuals to be aware of the potential risks associated with sharing their personal information with companies, particularly in the digital age where data breaches are becoming increasingly common. As such, it is crucial that companies take responsibility for protecting the data they hold and that individuals remain vigilant and proactive in protecting their own information.

Barbara Ericson
A longtime open source contributor, with extensive experience in DevOps principles and practices. Barbara is especially interested in helping IT businesses and organizations implement DevOps, cloud-native technologies, and open source.