150,000 potential victims of medical malpractice who clicked on Facebook ads created by xSocial Media and provided their personal medical records including intimate and personal descriptions of their injuries were exposed in a major data breach. The leaked data included not only the full name, address, email, phone number and IP address of the patient but also the circumstance of the injury and an explanation about the injury. Among the information unveiled by the breach were injuries suffered by veterans during combat, injuries by medical devices or by medication side-effects. Some of the data also contained insights about the employment situation of medical patients that could ruin their career.
xSocial Media is a Facebook marketing agency that specializes in running ad campaigns for medical malpractice and other personal injury lawsuits to generate leads for their clients. When Facebook users click their adds, they are asked to fill a form to check if they qualify for legal assistance. These forms generate leads for xSocial Media’s clients. The forms are stored in multiple databases operated by xSocial Media. These databases are not safe and were hacked. After the breach was discovered it took xSocial Media 9 days to act on it and fix the issue. A recent article in VPN Mentor demonstrates how easy a hacker could access this data. (The full VPN Mentor report on this leak can be found here)
Also in addition to leaking medical records, xSocial Media also leaked invoices records containing their own bank account info as well as their clients name, address and phone numbers. The leak also shows the result of their clients campaigns and how much they paid for it.