Database Containing More Than 8 Million Patient Records Exposed Online
A huge database containing approximately 2.7 million patient profiles and 8.8 million appointment records has been exposed online. The database included names, birth dates, addresses, phone numbers, email addresses, chart IDs, billing information, and language preferences. The appointment records contained patient metadata, timestamps, and institutional references.
The unprotected database was identified by researchers at Cybernews, and while the owner of the database has not been confirmed, the researchers found references to a digital marketing and web development company called Gargle, which offers services specifically for U.S. dental practices. The company’s services include SEO-optimized websites, including integrated scheduling, patient communication, and payment processing tools. The associated infrastructure could include databases containing protected health information (PHI). The size of the database and sheer number of patient records suggest it contains data from multiple covered entities. The researchers confirmed that the records include verified mobile numbers, suggesting real rather than test data.
After the researchers notified Gargle, the exposed database was secured; however, no response or comment was received from Gargle confirming that it is the owner of the database. The researchers were unable to determine how long the database had been exposed online or whether it had been accessed while it was unprotected.
Any company that works with HIPAA-covered entities that provides products or services that require contact with protected health information (PHI) is classed as a business associate under HIPAA and is required to sign a business associate agreement. If a business associate uses a vendor whose services require contact with PHI, the vendor must also sign a business associate agreement and agree to comply with the HIPAA Rules.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In the event of a data breach at a business associate, each affected covered entity client must be informed. The breach must be reported to the Secretary of the HHS, and breach notification letters must be sent to the affected individuals. Ultimately, it is the responsibility of each affected covered entity to ensure that notification letters are issued following a breach at one of their business associates. Each affected covered entity may issue its own notifications, or the responsibility can be delegated to the business associate.
No data breach is currently listed on the HHS’ Office for Civil Rights breach portal from Gargle, and the HIPAA Journal has not encountered any breach reports from dental practices that relate to such a breach. Under HIPAA, business associates must notify affected covered entity clients about any breach of PHI within 60 days of discovery, after which covered entities must ensure that notifications are issued within 60 days. Cybernews said the exposed database was disclosed on March 26, 2025.
Correction: This post initially stated that this was a MongoDB database. MongoDB has confirmed that the breach was the result of a misconfiguration within Gargle’s self-managed open source database licensed by MongoDB, and that there was no breach of MongoDB Atlas or any system operated by MongoDB, Inc.
