2 min read

Broadvoice VoIP service leaks 350 million records, PHI exposed

Rikin Shah October 26, 2020

Healthcare cybersecurity news
Yellow envelope with megaphone illustration
Envelope with megaphone symbolizing email communication and alerts Yes, you read that headline right. A cloud-based telecommunications provider has accidentally leaked the contents of some 350 million individual records. A subset of these records included transcripts that referred to financial and medical information. 

Background

Broadvoice, a cloud-based Voice over IP (VoIP) provides telecommunications services to small, medium, and enterprise-level companies all over the United States. These companies include law firms, retail stores, and also medical offices. Bob Diachenko, working on behalf of tech security firm Comparitech to index the Shodan.io IoT search engine, discovered an Elasticsearch cluster that contained ten data collections that stored 350 million voicemails without any password protection that had just been indexed into the search engine.  An Elasticsearch database is an open-source tool that allows for real-time searching and data analysis. The misconfigured collection labeled “People Production” had account ID numbers of Broadvoice’s customers. This allowed researchers to cross-reference the entries with records in the other collections to identify Broadvoice as the common denominator.   The largest subset of the ten collections consisted of 275 million records with full caller names, identification numbers, phone numbers, as well as city and state identifiers of the individuals involved. Another subset included 2 million voicemail records which included 200,000 transcripts that detailed medical identifiers like individual business names, clinical staff labels, appointments, as well as financial information.  One transcript even included a caller identifying themselves by name and discussing a recent positive COVID-19 diagnosis. 

 

What happened next

As a result of his findings, Diachenko reached out to Broadvoice to disclose his discovery and only got an automated response with no further correspondence. If this sounds familiar, it’s because we’ve covered this type of thing before. SEE ALSO: GitHub Leaks Healthcare Information – HHS Still Likely Unaware Unlike parties involved in the GitHub breach, Broadvoice responded quickly by locking down the database on October 2nd, one day after Diachenko notified the company. Perhaps Broadvoice CEO Jim Murphy had been reading our blog all along. 

 

What could have happened

Say Broadvoice did not lock its files down fast enough. Malicious actors could have used the information that had been exposed to facilitate targeted email phishing attacks.  During the attack, hackers could have posed as Broadvoice or a client and convinced customers to provide login credentials or financial information.  Subsequently, hackers could have either held the data as ransom and threatened to expose it on the black market or they could have used the credit card information to drain the customer’s bank account. The latter is a form of identity theft that can result in thousands of dollars in expenses that the customer must pay in order to correct the issue.  

 

The main issue

The major problem here is that Broadvoice left a database open without any authentication required for access. Because lots of personal information flows through Broadvoice’s systems on behalf of doctor’s offices, law firms, retail stores, and other businesses, having a database cluster with client information that doesn’t even require a password to access is absolutely egregious.  Two-factor authentication is specifically designed to stop leaks like this from occurring and can satisfy the electronic PHI (ePHI) access requirements as per the HIPAA Security Rule. Additionally, since Broadvoice stores PHI on behalf of its healthcare customers, it should have executed a business associate agreement (BAA) . The purpose of a BAA is that a business associate agrees to protect PHI. Medical providers that partner with services that do not sign a BAA open themselves up to severe liabilities.  As a result of this leak, Broadvoice could be subject to millions of dollars worth of fines; HHS is no stranger to doling them out to business associates  as well as covered entities . SEE ALSO: Business Associate Pays $2.3 Million for HIPAA Noncompliance

 

Why you should work with Paubox

While we aren’t in the business of VoIP, we are in the business of electronic data security. Paubox Email Suite provides HIPAA compliant email by default with two-factor authentication built in.  It shouldn't even be possible to find a company in 2020 that compromises protected health information (PHI) by not securing data with a password. Unfortunately, however, it still happens. By utilizing a HITRUST CSF certified product like Paubox Email Suite, you can start securing valuable user PHI today. 
 
Try Paubox Email Suite for FREE today.
Start for free
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
Person using a laptop

1 min read

What is stalkerware?

Chloe Bowen : August 12, 2021

Think about everything you've done with your mobile device or computer today. If you're like many of us, you've probably posted to or browsed social...

Healthcare cybersecurity news
Read More
blue digital lock

Top healthcare data breaches of 2025 affect over 29 million (so far)

Picture of Farah Amod Farah Amod : July 16, 2025

A review of reports filed in the first half of the year reveals the scale of ongoing cybersecurity challenges in the healthcare sector.

Healthcare cybersecurity news
Read More
U.S. Capitol building with American flag

Paubox Weekly: HHS releases new healthcare cybersecurity strategy

Picture of Dean Levitt Dean Levitt : December 8, 2023

Hello world,

Healthcare cybersecurity news
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.