The database, which was publicly accessible without any encryption or password protection, contained a vast collection of 1,674,218 records, amounting to a total size of 2 terabytes. The stored documents were in PDF format and had file names that included individuals’ names. A review of a sample of these documents revealed a significant amount of potentially sensitive personal and medical details, such as full names, dates of birth, phone numbers, email addresses, vaccination records (including the specific vaccines administered), current medications, and various health conditions disclosed by survey participants.

Additionally, some surveys contained notes detailing adverse reactions to COVID-19 vaccines, other existing medical conditions, the names of doctors, whether individuals were pregnant or using birth control, and the identities of survey administrators. Since this data pertains to private health information, it could fall under legal privacy protections. Public exposure of such sensitive medical details could have serious consequences, as health histories are permanent and cannot be changed like financial data or other forms of personally identifiable information.

The name of the database and its records strongly indicated that it belonged to DM Clinical Research, a Houston-based organization that operates clinical trial sites. This company facilitates clinical studies by connecting patients with physicians, offering experimental or alternative treatment options. Upon discovering the exposure, I promptly sent a responsible disclosure notice to DM Clinical Research. Within hours, the database was secured and no longer publicly accessible.

The following day, I received a response acknowledging the disclosure. The company assured that their team was actively reviewing the situation to ensure a thorough resolution. They emphasized their commitment to data security and compliance with best practices and relevant regulations. However, while the records were linked to DM Clinical Research, it remains unclear whether the database was directly managed by them or a third-party contractor. Additionally, the duration of the exposure and whether any unauthorized individuals accessed the data before its discovery remain unknown. A detailed internal forensic audit would be necessary to determine if there were any breaches or suspicious activity.

According to DM Clinical Research’s website, the company has been in operation for two decades. Initially focused on vaccines and internal medicine, it has since expanded its scope to include pediatrics, gastroenterology, psychiatry, neurology, women’s health, and other specialties. The organization operates multiple locations in Texas, including Houston, Tomball, Irving, and San Antonio, and has expanded to nine additional states: Arizona, Illinois, Massachusetts, Michigan, New Jersey, New Mexico, New York, Pennsylvania, and Washington.