Broadvoice VoIP service leaks 350 million records, PHI exposed

Featured image

Share this article

Broadvoice VoIP Service Leaks 350 Million Records, PHI Exposed - Paubox

Yes, you read that headline right. A cloud-based telecommunications provider has accidentally leaked the contents of some 350 million individual records. A subset of these records included transcripts that referred to financial and medical information. 


Broadvoice, a cloud-based Voice over IP (VoIP) provides telecommunications services to small, medium, and enterprise-level companies all over the United States. These companies include law firms, retail stores, and also medical offices.

Bob Diachenko, working on behalf of tech security firm Comparitech to index the IoT search engine, discovered an Elasticsearch cluster that contained ten data collections that stored 350 million voicemails without any password protection that had just been indexed into the search engine. 

An Elasticsearch database is an open-source tool that allows for real-time searching and data analysis. The misconfigured collection labeled “People Production” had account ID numbers of Broadvoice’s customers. This allowed researchers to cross-reference the entries with records in the other collections to identify Broadvoice as the common denominator.  

The largest subset of the ten collections consisted of 275 million records with full caller names, identification numbers, phone numbers, as well as city and state identifiers of the individuals involved. Another subset included 2 million voicemail records which included 200,000 transcripts that detailed medical identifiers like individual business names, clinical staff labels, appointments, as well as financial information. 

One transcript even included a caller identifying themselves by name and discussing a recent positive COVID-19 diagnosis. 

What happened next

As a result of his findings, Diachenko reached out to Broadvoice to disclose his discovery and only got an automated response with no further correspondence. If this sounds familiar, it’s because we’ve covered this type of thing before.

SEE ALSO: GitHub Leaks Healthcare Information – HHS Still Likely Unaware

Unlike parties involved in the GitHub breach, Broadvoice responded quickly by locking down the database on October 2nd, one day after Diachenko notified the company. Perhaps Broadvoice CEO Jim Murphy had been reading our blog all along. 

What could have happened

Say Broadvoice did not lock its files down fast enough. Malicious actors could have used the information that had been exposed to facilitate targeted email phishing attacks. 

During the attack, hackers could have posed as Broadvoice or a client and convinced customers to provide login credentials or financial information. 

Subsequently, hackers could have either held the data as ransom and threatened to expose it on the black market or they could have used the credit card information to drain the customer’s bank account. The latter is a form of identity theft that can result in thousands of dollars in expenses that the customer must pay in order to correct the issue.  

The main issue

The major problem here is that Broadvoice left a database open without any authentication required for access. Because lots of personal information flows through Broadvoice’s systems on behalf of doctor’s offices, law firms, retail stores, and other businesses, having a database cluster with client information that doesn’t even require a password to access is absolutely egregious. 

Two-factor authentication is specifically designed to stop leaks like this from occurring and can satisfy the electronic PHI (ePHI) access requirements as per the HIPAA Security Rule.

Additionally, since Broadvoice stores PHI on behalf of its healthcare customers, it should have executed a business associate agreement (BAA). The purpose of a BAA is that a business associate agrees to protect PHI. Medical providers that partner with services that do not sign a BAA open themselves up to severe liabilities. 

As a result of this leak, Broadvoice could be subject to millions of dollars worth of fines; HHS is no stranger to doling them out to business associates as well as covered entities.

SEE ALSO: Business Associate Pays $2.3 Million for HIPAA Noncompliance

Why you should work with Paubox

While we aren’t in the business of VoIP, we are in the business of electronic data security.

Paubox Email Suite provides HIPAA compliant email by default with two-factor authentication built in. 

It shouldn’t even be possible to find a company in 2020 that compromises protected health information (PHI) by not securing data with a password. Unfortunately, however, it still happens. By utilizing a HITRUST CSF certified product like Paubox Email Suite, you can start securing valuable user PHI today. 

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Rikin Shah

Read more by Rikin Shah

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022