Hundreds of thousands of medical records, including those belonging to U.S. military personnel injured in combat, have been found exposed in two separate data breaches, one linked to a medical processing firm and the other a social media company.

Both data breaches were discovered by security researchers Noam Rotem and Ran Locar from vpnMentor and involved the private data sitting on servers exposed to all and sundry.

In the first case, described earlier this week, personal data belonging to about 78,000 patients using a drug called Vascepa were found on an unsecured MongoDB database. The exposed data include patients’ names, addresses, phone numbers, email addresses, prescribing doctor, their NPI number and pharmacy information.

It was not entirely clear who owns the database. The researchers found identification codes for two companies in the data: email marketing platform provider Constant Contact and PSKW, the legal name of an electronic prescription program called ConntectiveRX.

“We suspect the database may belong to ConnectiveRX, given the consistency of the tags in the data,” the researchers wrote. “However, we only found data concerning Vascepa prescriptions, which makes it less clear where the leak originated.”

Discussing the Vascepa database, Kevin Gosschalk, chief executive of fraud prevention technology firm Arkose Labs Inc., told SiliconANGLE that on the heels of Quest Diagnostic and LabCorp, this is the third high-profile healthcare breach in the past three weeks.

“Companies handling medical records are heavily targeted by cybercriminals and must take every precaution necessary to protect all of their attack surfaces,” Gosschalk said. “In today’s advanced threat landscape, companies cannot afford a serious lapse in security of this nature. Proactive security measures must be in place at all times to protect the attack surface and secure sensitive data.”

The second and larger of the two data breaches involved some 150,000 personal records and other data on a server belonging to xSocialMedia Inc., a Facebook Inc. marketing agency that specializes in running campaigns for medical malpractice lawsuits.

The exposed data appears to have been gathered from responses to Facebook ads and included names, email address, street address, phone number and details about the person’s injuries. In additional to the personal information, the servers included invoices, customer data and exact numbers for advertising campaigns for injury-check.com, a website used by xSocialMedia to gather data.

The data included information from veterans where they described injuries including post-traumatic stress disorder and other intimate medical details that should never have been exposed. The vpnMentor researchers immediately contacted xSocialMedia about the data breach, but the company took nine days to take the data offline.

There is no evidence at this stage that the data in either case had been accessed by those with malicious intent, but there’s also no evidence to prove that the data hadn’t been accessed either.

“When such a range of information is packaged up like this, it is just like a present waiting for bad actors to come and grab it,” said Terry Ray, senior vice president and fellow at cybersecurity firm Imperva Inc. “It is very likely this information already being traded on the dark web,” the shady part of the internet reachable with special software where people sell drugs, user data and other illicit goods.

In these cases, he said, “much more care should have been taken since the database was storing medical information in addition to personal information.” The failure to encrypt this patient data, he added, could be in violation of the Health Insurance Portability and Accountability Act or HIPAA and those responsible could face a substantial fine.

Image: Blue Coat Photos/Flickr