UpGuard finds information on over 37,000 Australia and New Zealand clinical trial participants in the wild

The uncovered database had 37,170 rows of 'user' collection, the same amount of users that Neoclinical has.
Written by Asha Barbaschow, Contributor

A database containing information on individuals from Australia and New Zealand has been uncovered, with the exposed data connected to clinical trials.

As UpGuard detailed in a blog post, the database belonged to Neoclinical, an Australia-based company that matches individuals with active clinical trials.

The database included collections for different entity types involved in connecting users to clinical trials, such as the accounts of organisations running the trials and information on the "users" themselves seeking entry to those trials.

In addition to contact information, UpGuard said the database included users' responses to questions qualifying them for clinical trials, which included questions about medical diagnoses and treatments.

According to UpGuard, the Neoclinical website claims the organisation has 37,170 users -- exactly the number of rows in the "users" collection of the database that has been uncovered.

Each of those users has a profile with a collection of information describing their fit for the various trials being coordinated with Neoclinical, UpGuard said.

"Part of the profile is personal information like name, email address, physical address, geo coordinates for that address, and date of birth. Additionally, the user information includes their responses to the questions and any trials for which they qualified," UpGuard wrote.

UpGuard said that on July 1, one of its researchers detected a MongoDB database named "neoclinical". On that same day, the researcher sent an email notification to Neoclinical and called both phone numbers on Neoclinical's website, one of which was disconnected and the other was configured to record a 10 second message to be transcribed and sent as text.

"On July 25 the researcher escalated notification to AWS Security, which followed their standard procedure of responding that they would notify the owner of the database. On July 26, public access to the database was removed," UpGuard wrote.

While the data is no longer available, UpGuard highlighted the significance of a database such as this being exposed.

"Neoclinical is one example of a company filling a particular role in the larger economy of healthcare that extends far beyond the relationship between doctor and patient within the protections of the hospital," the company continued.

"For individuals, this case provides a reminder that whenever they pass information to a third party, they should consider the impact of that data being exposed. And for companies, it should highlight the importance of having an incident response capability so that when data leaks occur, they can be mitigated within hours rather than weeks."


Editorial standards