A MongoDB database that contains approximately 2.7 million patient records and 8.8 million consultation records was compromised on the internet. The database contained names, addresses, birth dates, phone numbers, chart IDs, billing data, email addresses, and language preferences. The consultation records included patient metadata, institutional references, and timestamps.
Researchers at Cybernews identified the unsecured database. The database owner is still unknown, but researchers discovered references to a digital marketing and web solution company known as Gargle. Gargle provides its services particularly to U.S. dental offices. The company offers services such as SEO-optimized websites, integrated with a booking software, a patient portal, and payment processing applications. The included system may have databases that store protected health information (PHI). The size of the MongoDB database and its large volume of patient data indicate it contains information from several covered entities. The researchers stated that the records consist of validated mobile numbers, indicating true instead of test information.
The researchers informed Gargle about the unsecured database, after which the database was made secure. Nevertheless, Gargle did not comment or send confirmation that it owns the database. The researchers could not ascertain the length of exposure of the database online or if it was accessed when it was unsecured.
A company that provides products or services for a HIPAA-certified entity and is given access to protected health information (PHI) is classified as a business associate (BA) as per HIPAA rules. Signing a business associate agreement (BAA) is required in such a case. When a business associate hires a vendor who requires access to PHI to render the service, the vendor should likewise sign a BAA and comply with the HIPAA Regulations.
In case the business associate encounters a data breach, each impacted covered entity client should be notified. The breach report should be submitted to the Secretary of the HHS. Affected individuals should receive breach notification letters. Eventually, the impacted covered entity is responsible for sending the notification letters to impacted individuals within 60 days after knowing about a breach that happened at a business associate. The impacted covered entity could send the notifications or delegate the task to the business associate. Cybernews mentioned the breached database was discovered on March 26, 2025.
The HHS’ Office for Civil Rights breach portal currently does not list any data breach reported by Gargle, nor any data breach reported by dental practices that are connected to such a breach.
