Search
  • April M Strauss

Breastcancer.org User Medical Information and Sensitive Images Reportedly Left Exposed and Accessed

California Attorneys Investigating the Reported Data Breach


Woman with arm upright at an angle getting mammogram. Aide positioning;

Breastcancer.org (“BCO”) is reported to have exposed over 350,000 user files, some containing medical information and personal images. According to the SafetyDetectives, a pro bono research lab, BCO’s unsecured data exposed over 350,000 files, containing user images and EXIF data attached to posted images.[1] In so doing, BCO may have revealed users’ medical conditions, along with where they live, get medical treatment, and any number of other pieces of personal information.


The exposed images were found by the research lab to comprise, in part, medical test results and patient images, both clothed and nude. The data is purported to have contained files dating back to 2017.


Have questions? Feel free to contact us here.


According to Safetyetectives, it informed Breastcancer.org about the exposed data on November 17, 2021, and then again on November 21, 2021. When no response was received, it sent further messages on December 14, 2021. SafetyDetectives reported that it found the data secured on May 4, 2022.

"The healthcare sector has been a main target of cyberattacks. [. . . ] Data breaches, particularly when they involve sensitive information such as Social Security numbers and health records, threaten the privacy, security, and economic wellbeing of consumers. "[2]

Keeping sensitive data securely and encrypted is vital to maintaining user privacy and trust. Failing to do so has consequences. For example, in 2017, the California Attorney General announced that a settlement with a health care provider that required the payment of a $2 million penalty for the alleged failure to adequately protect patient records. According to filed Complaint in that matter, more than 50,000 patient records were available online without encryption or other protections to prevent unauthorized access.[3]



California Laws Protect Patient Personal Information


If you are a California resident, the California Confidentiality of Medical Information Act (CMIA) requires that many businesses that maintain medical information do so in a manner that preserves its confidentiality. Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring. Under the CMIA, you may be entitled to $1,000 and your actual damages resulting from the negligent release of your confidential information.


We Can Help You Exercise Your Rights Under California Law


Experienced data breach and class action attorneys can help you exercise your rights, evaluate your options, and decide whether you should seek compensation under the CMIA. There are no out of pocket costs to you, as we only get paid if we prevail.


If you are a California resident who received a Notice from Breastcancer.org or believe your information has been affected and are concerned about this breach of your personal data and what your options are, simply fill out the following form.




[1] EXIF stands for “Exchangeable Image File Format” and can reveal information captured by a digital camera or smartphone, like date and time the image was taken and location.[1]

[2] R. Bonta, BULLETIN: Obligation to Proactively Reduce Vulnerabilities to Ransomware Attacks and Requirements Regarding Health Data Breach Reporting, (2021), https://oag.ca.gov/system/files/attachments/press-docs/2021AUG24 Ransomware Bulletin.pdf. [3] Attorney General Becerra Announces $2 Million Settlement Involving Santa Barbara-based Cottage Health System Over Failure to Protect Patient Medical Records, (Nov. 22, 2017) https://www.oag.ca.gov/news/press-releases/attorney-general-becerra-announces-2-million-settlement-involving-santa-barbara.