RSS

California Back and Pain Specialists Exposes 133GB of Patient Medical Records

news_rt1 pts0 comments

US: California Back & Pain Specialists Exposes 133GB of Patient Medical Records on Public Server

Home

Indexes

My methodology

Contact

US: California Back & Pain Specialists Exposes 133GB of Patient Medical Records on Public Server

newschu<br>June 03, 2026

RESUME<br>This report discloses a severe security misconfiguration in a publicly exposed server belonging to California Back & Pain Specialists (formerly Nova Surgical Institute). The server contained approximately 133 GB of highly sensitive Protected Health Information (PHI), including patient medical records, driver’s licenses, X-rays, and clinical documents. After responsible disclosure to the company and AWS, the server was taken offline. However, no response has been received from California Back & Pain Specialists as of the date of this report.

Who is CALBPS?<br>A network of medical clinics located in California, United States, specializing in the treatment of back pain, neck pain, and spinal injuries, formerly known as Nova Surgical Institute.

Finding the exposed data<br>The image shows the exposed folders on the server.

During my investigation, I found this server exposed on March 16th, 2026 . It contained approximately 133GB of employee and client/patient information. The folders were divided according to the names of the locations:

Fresno<br>San Leandro<br>Riverside<br>Bakersfield<br>Van Nuys<br>El Monte

Examining the exposed data<br>According to the information I gathered, the server had been publicly accessible and unprotected since at least July 22, 2025 . The exposed files included patient and employee JSON records, PDF documents such as driver’s licenses, medical exams, and consent forms.

More than 3,400 driver’s licenses were found in the "photos" folder

The left image shows a patient data sheet containing the patient’s name, age, date of birth, phone number, procedure description, pre-diagnosis, and confirmation of general anesthesia.The right image displays a pre-operative order sheet , including the patient’s consent, the doctor’s name, and pre-operative instructions. The patient’s personal data (name, date of birth, and Medicaid information) has been redacted in the bottom corner.

There were also x-ray images, with names, date of birth, as you can see below.

The patient X-ray files contained the patient's name, ID number, and date of birth. In the lower left corner of the images, the date the X-ray was taken is clearly visible. Examples from different patients showed dates such as 2008 and 2023.

Example – Patient Judith<br>One of the JSON files contained the complete medical record of a patient named Judith. It included her lumbar injections, COVID-related records, date of injury, Medical Lien, medication list, surgeries, consents, discharge summary, and full medical history. In addition to her name, address, and phone number, her entire patient history was publicly exposed. This is extremely serious.

Risks to Protected Health Information (PHI)<br>Any person on the internet could freely download this sensitive data. This exposure significantly increases the risk of:

Medical identity theft and insurance fraud<br>Document forgery<br>Phishing and social engineering attacks<br>Extortion or blackmail using confidential medical conditions<br>Sale of the data on the dark web

NOTIFYING<br>For our part, we had to protect the data as soon as possible in order to resolve the problem of the exposed server. We contacted the company via email from the following date:

It shows the process that had to be followed to resolve the server problem, the notification diagram.

On March 16th, 2026 an email was sent to the health entity alerting them about this publicly exposed server containing 133GB of sensitive patient information, such as exams, driver's licenses, and forms. When they received no response or resolution to the problem, an email was sent to the health entity's website administrator.

On March 31st , 2026 an email was sent alerting the health entity's website administrator about the exposed information and sensitive documentation on the server. No one responded or resolved the issue.

- Seeing that no one wanted to or intended to resolve this, I took a few days-

May 20th , 2026 After several failed attempts, I reported to AWS Amazon that their client with that IP address was exposing sensitive personal information of patients. Amazon showed interest and emailed me back, saying they valued the information and asked if I could send more details for a proper investigation. I, of course, provided the relevant information.

On May 26th , 2026 Amazon emailed me saying the exposed server had been mitigated. The exposed server was fixed in just six days.

On May 27, 2026 , we sent a follow-up email to California Back & Pain Specialists asking whether they intended to notify the affected patients, relevant regulators, and clients about the exposed server containing sensitive patient data. To date, we have not received any response.

Technical Recommendations<br>To prevent future...

patient server exposed medical information date

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.