RESUME
This report discloses a severe security misconfiguration in a publicly exposed server belonging to California Back & Pain Specialists (formerly Nova Surgical Institute). The server contained approximately 133 GB of highly sensitive Protected Health Information (PHI), including patient medical records, driver’s licenses, X-rays, and clinical documents. After responsible disclosure to the company and AWS, the server was taken offline. However, no response has been received from California Back & Pain Specialists as of the date of this report.
Who is CALBPS?
A network of medical clinics located in California, United States, specializing in the treatment of back pain, neck pain, and spinal injuries, formerly known as Nova Surgical Institute.
Finding the exposed data
 |
| The image shows the exposed folders on the server. |
During my investigation, I found this server exposed on March 16th, 2026. It contained approximately 133GB of employee and client/patient information. The folders were divided according to the names of the locations:
- Fresno
- San Leandro
- Riverside
- Bakersfield
- Van Nuys
- El Monte
Examining the exposed data
According to the information I gathered, the server had been publicly accessible and unprotected since at least July 22, 2025. The exposed files included patient and employee JSON records, PDF documents such as driver’s licenses, medical exams, and consent forms.
 |
| More than 3,400 driver’s licenses were found in the “photos” folder |
 |
| The left image shows a patient data sheet containing the patient’s name, age, date of birth, phone number, procedure description, pre-diagnosis, and confirmation of general anesthesia.The right image displays a pre-operative order sheet, including the patient’s consent, the doctor’s name, and pre-operative instructions. The patient’s personal data (name, date of birth, and Medicaid information) has been redacted in the bottom corner. |
There were also x-ray images, with names, date of birth, as you can see below.
 |
| The patient X-ray files contained the patient's name, ID number, and date of birth. In the lower left corner of the images, the date the X-ray was taken is clearly visible. Examples from different patients showed dates such as 2008 and 2023. |
Example – Patient Judith
One of the JSON files contained the complete medical record of a patient named Judith. It included her lumbar injections, COVID-related records, date of injury, Medical Lien, medication list, surgeries, consents, discharge summary, and full medical history. In addition to her name, address, and phone number, her entire patient history was publicly exposed. This is extremely serious.
Risks to Protected Health Information (PHI)
Any person on the internet could freely download this sensitive data. This exposure significantly increases the risk of:
- Medical identity theft and insurance fraud
- Document forgery
- Phishing and social engineering attacks
- Extortion or blackmail using confidential medical conditions
- Sale of the data on the dark web
NOTIFYING
For our part, we had to protect the data as soon as possible in order to resolve the problem of the exposed server. We contacted the company via email from the following date:
 |
| It shows the process that had to be followed to resolve the server problem, the notification diagram. |
On March 16th, 2026 an email was sent to the health entity alerting them about this publicly exposed server containing 133GB of sensitive patient information, such as exams, driver's licenses, and forms. When they received no response or resolution to the problem, an email was sent to the health entity's website administrator.
On March 31st, 2026 an email was sent alerting the health entity's website administrator about the exposed information and sensitive documentation on the server. No one responded or resolved the issue.
- Seeing that no one wanted to or intended to resolve this, I took a few days-
May 20th, 2026 After several failed attempts, I reported to AWS Amazon that their client with that IP address was exposing sensitive personal information of patients. Amazon showed interest and emailed me back, saying they valued the information and asked if I could send more details for a proper investigation. I, of course, provided the relevant information.
On May 26th, 2026 Amazon emailed me saying the exposed server had been mitigated. The exposed server was fixed in just six days.
On May 27, 2026, we sent a follow-up email to California Back & Pain Specialists asking whether they intended to notify the affected patients, relevant regulators, and clients about the exposed server containing sensitive patient data. To date, we have not received any response.
Technical Recommendations
To prevent future incidents, the following security measures are strongly recommended:
Immediate Actions
- Disable public access and directory listing on all servers immediately.
- Implement strong authentication (username/password, IP whitelisting, or VPN access).
- Remove or move all sensitive patient data to a secure, encrypted environment.
- Use signed URLs or temporary access tokens instead of public files.
Best Practices for Handling PHI
- Never store Protected Health Information on publicly accessible servers.
- Use HIPAA-eligible cloud storage solutions with a signed Business Associate Agreement (BAA).
- Implement encryption at rest and in transit (AES-256).
- Apply the principle of least privilege — only authorized personnel should have access.
General Security Improvements
- Conduct regular security audits and configuration reviews of all servers and cloud assets.
- Enable detailed logging and monitoring for access attempts.
- Implement an Incident Response Plan that includes mandatory breach notification procedures.
- Perform periodic penetration testing and vulnerability assessments.
- Use proper secrets management and avoid exposing directories publicly.
Final Note
Ethical Disclosure
Report published: June 3, 2026
Security Researcher: chum1ng0
0 Comments