Jeremiah Fowler, a security researcher, uncovered a non-password-protected database thought to be owned by Carolina Anaesthesiology PA, a healthcare organisation based in North Carolina. This dataset included several states, had 21,344 records, and was about 7GB in size.
The data included sensitive information such as patient names, physical addresses, phone numbers, and email addresses, as well as insurance coverage details, anaesthesia summaries, diagnoses, family medical histories, and doctor's notes.
According to the researcher, there were files labelled 'Billing and Compliance Reports', which indicates the sort of data contained. While there is no proof that the database fell into criminal hands, the vulnerability of the unsecured database might expose numerous people to social engineering attacks such as phishing, identity theft, or fraud.
The dataset included a "detailed analysis and key metrics related to medical billing and healthcare services provided," according to the researcher. However, the healthcare company that was contacted stated that it did not own or manage the database, but that the owner had been notified and that public access was restricted.
It remains unclear whether the information was accessed by a threat actor or a third party; only an internal audit would reveal this, and as far as we know, the content has not appeared on any dark web sites for sale by hackers. The researcher's investigation revealed that the contents of this folder were most likely associated with Atrium Health, a Carolina Anaesthesiology PA partner.
“Our cyber security team immediately launched an internal investigation upon receiving an email tip in mid-February 2025 about a possible data breach. Our investigation found that Carolina Anesthesiology, P.A., who regularly provides anesthesia services at select facilities, misconfigured the technology service used for billing data, exposing some of their patient data,” Atrium Health responded to the intrusion.
“We immediately shut down all data feeds to Carolina Anesthesiology and, as a courtesy, notified the regular governing entities. We continue to learn more from the Carolina Anesthesiology team about their plan to notify their patients of this breach. All data feeds remain off until this issue has been satisfactorily addressed.”