150,000 potential victims of medical malpractice who clicked on Facebook ads created by xSocial Media and provided their personal medical records including intimate and personal descriptions of their injuries were exposed in a major data breach. The leaked data included not only the full name, address, email, phone number and IP address of the patient but also the circumstance of the injury and an explanation about the injury. Among the information unveiled by the breach were injuries suffered by veterans during combat, injuries by medical devices or by medication side-effects. Some of the data also contained insights about the employment situation of medical patients that could ruin their career.
xSocial Media is a Facebook marketing agency that specializes in running ad campaigns for medical malpractice and other personal injury lawsuits to generate leads for their clients. When Facebook users click their adds, they are asked to fill a form to check if they qualify for legal assistance. These forms generate leads for xSocial Media’s clients. The forms are stored in multiple databases operated by xSocial Media. These databases are not safe and were hacked. After the breach was discovered it took xSocial Media 9 days to act on it and fix the issue. A recent article in VPN Mentor demonstrates how easy a hacker could access this data. (The full VPN Mentor report on this leak can be found here)
Also in addition to leaking medical records, xSocial Media also leaked invoices records containing their own bank account info as well as their clients name, address and phone numbers. The leak also shows the result of their clients campaigns and how much they paid for it.
Medical records are heavily protected by HIPAA laws and healthcare providers are required to have a written permission of their patients to disseminate their information. While xSocialMedia is not required to HIPPAA compliant because patients are free to disclose their personal information, they were probably not expecting to have their testimony publicly exposed.
The new cyber ambulance chasers
If you believe you are the victim of medical malpractice, we would strongly recommend that you not fill out a Facebook form or contact any law firm that is using aggressive advertising campaigns. Most personal injury law firms using these type of marketing are “personal injury mills” or what we also call “ambulance chasers”. Their goal is to produce a high volume of quick settlements regardless of their clients’personal situation. These are the ones who give a bad name and reputation to our profession.
If you are looking for a medical malpractice lawyer, take the time to do your home work and to look for a personal injury law firm with a solid track record of helping clients and contact them directly. Ask to talk directly to a lawyer. The initial consultation is always free.