15,000+ Leaked Healthcare Secrets Found: Code Blue in the Server Room

July 06, 2026

By Assaf Morag, Cybersecurity Researcher

We found more than 15,000 items containing at least one exposed healthcare secret. When we focused on the 231 most severe cases, we found alarming patterns: full production credentials, cloud admin keys, database access, payment platform secrets, and AI provider tokens, all sitting in public view. Using Flare, we searched public code repositories and container registries for exposed secrets tied to healthcare organizations. So what does this actually look like?

A single container image in a public registry included admin credentials to a medical application, full access to the cloud provider, email system credentials, and API keys for two AI platforms. The healthcare organization whose secrets were exposed likely has no idea. Their own infrastructure was never involved; the leak came from a technology vendor building an AI scheduling tool on their behalf.

This is the pattern we found repeated across hundreds of cases: healthcare secrets leaking from the developers, contractors, and technology providers building software for hospitals, in places no compliance framework is watching. Healthcare security teams often defend highly distributed environments with limited visibility into external exposure and active threats developing outside the organization. In this post, we dig into why and how this happens, and cover multiple case studies of different healthcare secret leak scenarios.

Find Leaked Healthcare Secrets First

See the Exposed Secrets Attackers Already Have

Flare detects technical exposure like leaked secrets and source code across the clear web, including public repositories and container registries where healthcare credentials leak.

Detect leaked secrets and source code
Monitor third-party and contractor exposure

Key Findings About Leaked Healthcare Secrets

  • We found more than 15,000 exposed healthcare secrets, with 231 classified as a critical severity 
  • Third-party developers are the primary source of exposure, with many critical healthcare exposures originated by software development companies, contractors, and technological providers, which leaves the exposure outside the core production environments, and security monitoring and control systems. 
  • Traditional security tools often lack visibility into external exposure sources such as leaked credentials, exposed secrets, malicious domains, and infostealer-related compromise. As a result, healthcare organizations frequently struggle with fragmented visibility across cloud-native infrastructure, third-party services, SaaS environments, and distributed operational systems. Security teams that combine high-quality threat intelligence and exposure management are significantly better positioned to reduce detection time, improve incident response, and limit attacker lateral movement across interconnected healthcare environments.

About the Healthcare Cybercrime Series

Healthcare organizations have become one of the most heavily targeted sectors in cybercrime ecosystems due to the highly sensitive nature of medical data, critical operational dependencies, and the direct impact attacks can have on patient safety, human suffering, and even loss of life. From hospitals and clinics to medical transportation networks and connected medical devices, threat actors increasingly view healthcare as a high-value environment for fraud, extortion, data theft, and operational disruption.

This blog is part of Flare’s Healthcare Cybercrime Series, a collection of focused research pieces examining the shifting threats facing the healthcare sector. The series explores key areas including ransomware operations, healthcare fraud, medical identity theft, exposed patient data, phishing infrastructure, vulnerable medical devices, insider threats, third-party compromise, and other cybercriminal activities targeting healthcare ecosystems.

To learn more about healthcare credential exposure, check out our report on the 33% rise in credential theft in 2025.

Why Healthcare Technology Environments Are Uniquely Challenging to Secure

Healthcare organizations operate highly interconnected ecosystems that combine legacy infrastructure, cloud services, medical devices, third-party vendors, insurance platforms, clinical systems, and rapidly expanding digital healthcare services, all while maintaining continuous patient care operations. Security modernization efforts must constantly compete against operational urgency, regulatory requirements, and patient safety concerns.

Leadership and Budget Gaps

Healthcare organizations today operate some of the most technologically complex environments in the economy, yet executive leadership and cybersecurity budgets have often not kept pace with digital transformation. Across hospitals, insurers, pharmaceutical companies, and broader healthcare ecosystems, upper management traditionally comes from clinical, operational, financial, or administrative backgrounds rather than modern cybersecurity or cloud-security expertise. As a result, security modernization competes for limited resources against patient care, operational continuity, and compliance priorities.

Industry data reflects this imbalance:

Collectively, this creates a dangerous reality in which healthcare organizations are expected to defend enterprise-scale cloud and AI environments with security maturity, staffing, and budgets that often lag behind sectors such as finance, technology, and hyperscale cloud providers.

Legacy Technology and Long-Term Exposure

Hospitals frequently operate legacy Windows systems, unsupported medical software, outdated communication protocols, and flat network architectures that increase the risk of lateral movement once attackers gain access. Medical devices and clinical systems often cannot be easily patched or upgraded due to vendor restrictions, certification requirements, operational dependencies, or concerns about disrupting patient care. Vulnerable systems often remain active in production environments for years, creating persistent exposure that attackers actively target.

Identity and Access Complexity

Healthcare providers rely heavily on large numbers of employees, contractors, clinicians, laboratories, insurers, vendors, and third-party service providers who require access to interconnected systems. Common issues include:

  • Shared accounts
  • Inconsistent MFA deployment
  • Excessive privileges
  • Unmanaged third-party access
  • Weak identity governance across SaaS and cloud-connected environments

As healthcare organizations continue adopting cloud platforms and external providers, identity increasingly becomes one of the most critical attack surfaces for ransomware groups, initial access brokers, and credential-based attacks.

Clinical and Operational Constraints

Unlike many sectors where systems can be temporarily taken offline for maintenance or security upgrades, hospitals and clinical environments often require continuous availability. Security changes may interfere with medical workflows, delay patient treatment, impact device certifications, disrupt integrations, or create operational risks during critical care scenarios. Security teams frequently operate under strict constraints that slow remediation efforts, reduce patching flexibility, and complicate the deployment of modern defensive technologies.

Visibility and Monitoring Challenges

Many organizations struggle with incomplete asset inventories, limited visibility into cloud services, insufficient east-west network monitoring, and minimal telemetry from medical or IoMT devices. In practice, defenders may not fully understand which systems are exposed, how data flows across environments, or how attackers move laterally after compromise. These visibility gaps can significantly delay detection and incident response efforts in already complex healthcare ecosystems.

Talent Limitations

Effective defense now requires expertise across cloud security, medical device security, identity management, incident response, SaaS governance, and threat intelligence. However, the shortage of experienced cybersecurity professionals within healthcare continues to limit the ability of many organizations to mature their security operations and secure rapidly evolving hybrid environments at the pace required by the modern threat landscape.

The Overlooked Threat Surface

The convergence of healthcare and technology is expanding the attack surface, but the security mindset has not fully caught up. One of the most dangerous misconceptions in healthcare is the belief that being compliant means being secure. Frameworks and regulations enforce necessary controls (data protection, auditability, access restrictions), but they are inherently backward-looking and checklist-driven. They do not account for modern threat dynamics.

For instance, breaches in healthcare are often framed around ransomware or system outages. But beneath the surface lies a quieter, more persistent risk:

  • Shadow IT usage outside sanctioned systems
  • Credential exposure across third-party platforms and stealer logs
  • Leaked access to SaaS platforms and third-party tools
  • Infostealer malware harvesting credentials at scale
  • Real-time exploitation of leaked access

The technology sector, by contrast, increasingly focuses on continuous exposure management, assuming that credentials, tokens, and access paths are constantly at risk. Healthcare often lacks this mindset, creating blind spots where sensitive access exists outside the boundaries of compliance visibility.

We highlighted some items on the list to demonstrate real-world examples and attack scenarios.

Real-World Healthcare Exposure: What We Found

We used Flare to detect critical secret exposures in software registries and repositories. We defined a broad, holistic query that covers many secret exposure scenarios in code and packages.

We constructed a list of specific keywords that cover various topics, for instance:

  • Databases: “SNOWFLAKE_ACCOUNT” OR “SNOWFLAKE_USER” OR “MONGODB_URI” OR “ELASTICSEARCH_PASSWORD”
  • Cloud Accounts: “AWS_SECRET_ACCESS_KEY” OR “AZURE_CLIENT_SECRET” OR “GCP_PRIVATE_KEY”
  • AI Keys: “OPENAI_API_KEY” OR “ANTHROPIC_API_KEY”
  • Developer Keys: “GITHUB_TOKEN” OR “GITLAB_TOKEN” OR “NPM_TOKEN”
  • Payment Services Keys: “STRIPE_SECRET_KEY”
  • Email Delivery Platforms: “SENDGRID”
  • Cloud Native Environment Keys: “DOCKER_PASSWORD” OR “KUBECONFIG” OR “KUBE_CONFIG” OR “KUBE_TOKEN”
  • SSO and Federated Access: “OKTA_API_TOKEN”

To connect the findings to the healthcare industry, we also added this condition (“healthcare” OR “hospital” OR “medical” OR “pharma” OR “pharmaceutical” OR “clinic” OR “medicare” OR “biotech” OR “patient”).

Result: 15,476 relevant items identified. We focused on the 231 most critical cases. Below are selected examples that illustrate the threat, its implications, and its severity.

Using Flare to search for exposed healthcare secrets in public repositories and container registries

Using Flare to search for exposed secrets

Case Study One: Healthcare Secrets Exposed Through a Dedicated AI Application for Healthcare

We identified exposed secrets of a large healthcare organization in South America. The leak originated from a local healthcare technology platform that provides AI-assisted clinic and healthcare practice management services to help automate appointment scheduling, patient communication, and operational workflows while handling sensitive healthcare and patient-related information. Platforms like this are essential to secure because they may process regulated medical, billing, and patient data across interconnected healthcare environments.

The exposure occurred through the manifest of a single container image hosted in a public registry of the healthcare technology platform provider. The exposure appears to be fairly new and is regularly updated by the DevOps teams.

What was exposed:

  • Admin credentials with full access to the medical application
  • Credentials to the cloud service provider (GCP)
  • Full admin access to the email system
  • AI provider API keys (Claude and ChatGPT)
  • Credentials that enable full access to Supabase (a backend-as-a-service platform built around PostgreSQL that provides databases, authentication, storage, APIs, and real-time services for applications)
  • Full access to a PostgreSQL database

The healthcare organization’s secrets were leaked by the technology vendor building tools on their behalf, not by their own team.

Case Study Two: Shadow IT from a Contractor Exposes Healthcare Secrets

We identified a public personal container registry containing what appears to be the backend of a specific component in a healthcare operation. The exposure includes credentials for a hosted MongoDB instance. The Docker Hub registry appears to contain full database access.

MongoDB is a popular database commonly used by healthcare organizations to store and process large volumes of data. In a healthcare environment, an exposed MongoDB instance may contain highly sensitive information, including patient records, medical histories, prescription data, laboratory results, appointment details, insurance information, employee records, internal application data, and system credentials.

The exposure of such a database poses significant security and privacy risks, as attackers may be able to access, copy, modify, or delete the information. Beyond the potential compromise of protected health information (PHI), exposed databases can provide attackers with valuable insight into internal systems, business operations, and technology infrastructure, potentially enabling further attacks such as account compromise, ransomware deployment, fraud, or lateral movement within the organization’s environment.

Given the sensitivity and regulatory requirements associated with healthcare data, publicly accessible MongoDB databases represent a critical security concern that can lead to financial, legal, operational, and reputational consequences.

The person who accidentally leaked this secret did not use an email address from the exposed organization. Instead, they used one from a company that provides IT and programming services to healthcare organizations. This looks like the work of an external contractor: a personal registry used for development that inadvertently exposes production credentials.

The problem today is that healthcare compliance cannot see shadow IT. Healthcare organizations operate under some of the world’s most stringent regulatory frameworks, including HIPAA, the HITECH Act, GDPR, and, increasingly, NIS2. These regulations require organizations to protect electronic health information, maintain access controls, encrypt sensitive data, audit system activity, manage third-party risk, and demonstrate compliance through documented security programs.

But these controls primarily govern known and managed assets. They cannot protect software, cloud services, AI tools, personal SaaS accounts, or development environments that employees adopt without IT approval. Because shadow IT operates outside official inventories and compliance processes, it often falls beyond the visibility of traditional governance, creating blind spots where sensitive healthcare data may be stored, processed, or shared without the monitoring, auditing, or security controls required by regulation.

Case Study Three: Deletion Does Not Equal Remediation (The Persistence of Software Supply Chain Exposure)

We found a public repository of a software development and AI-focused technology company that specifically builds solutions for hospitals: cloud-based digital products, AI solutions, and custom business applications.

Today, this public repository does not contain any secrets. Someone noticed the mistake and deleted the data, but attackers often pull newly pushed content and scan for secrets and exposures. In the same manner, this data was indexed by Flare for timely and accurate threat exposure purposes.

What was exposed before deletion:

  • Super admin tenant secrets and full admin email access
  • Full admin access to a MongoDB instance
  • Marketing platform API key
  • Default production passwords
  • Encryption keys
  • Cloud service provider keys (AWS)
  • Access to S3 buckets
  • Payment application keys and secrets

We found another namespace linked to the same company, containing secrets of a pharmaceutical application, including admin access to a database instance, cloud keys (AWS), full access to S3 buckets, super admin tenant secrets, and full admin email access.

This type of human error is unfortunately common, and it requires immediate rotation of all exposed keys and full activation of incident response procedures to secure the environment and verify that attackers did not establish persistence or gain access to internal systems. Simply deleting the commit and continuing operations without further investigation is the wrong approach and can leave the organization exposed to ongoing compromise.

A deleted repository whose leaked healthcare secrets remain recorded by attackers and mirror websites

Today this data is unavailable, but attackers and mirror websites keep records of such leaks

The Role of Cyber Threat Intelligence (CTI) for Modern Healthcare Security Teams

CTI platforms provide defenders with visibility into risks that traditional security tools frequently miss. In healthcare environments, this includes:

  • Exposed secrets in public repositories and container registries
  • Leaked credentials harvested by infostealer malware
  • Malicious domains impersonating healthcare providers
  • Exposed cloud storage
  • Compromised contractor environments
  • Unauthorized third-party access paths

Unlike traditional monitoring approaches that primarily focus on internal systems, CTI allows organizations to monitor the broader external attack surface surrounding healthcare operations. This is particularly important because modern healthcare ecosystems increasingly rely on interconnected cloud providers, SaaS platforms, medical technology vendors, AI systems, contractors, APIs, and external development environments that may introduce exposure outside direct organizational control.

CTI also enables defenders to prioritize remediation based on real-world attacker activity rather than theoretical risk alone. Instead of waiting for alerts generated after compromise, security teams can proactively identify exposed credentials, vulnerable systems, leaked access tokens, or malicious infrastructure actively targeting the healthcare sector. 

In practice, this reduces detection time, improves incident response readiness, and helps organizations close critical gaps before attackers exploit them.

Why Exposure Visibility Matters

One of the biggest challenges facing healthcare defenders is incomplete visibility. Many organizations do not fully understand where sensitive access exists, which third parties hold privileged credentials, how cloud assets are exposed, or where secrets may have leaked across software supply chains and developer workflows.

 

As demonstrated throughout this article, many exposures originate outside traditional production systems. Secrets may appear in container registries, public repositories, CI/CD pipelines, developer environments, third-party contractor infrastructure, AI integrations, cloud-native tooling, or SaaS platforms used by healthcare operations. In many cases, the exposed access is highly privileged and capable of impacting production environments, patient-related systems, databases, cloud services, AI platforms, or communication systems.

 

CTI helps bridge this visibility gap by continuously monitoring external exposure sources and correlating them with healthcare-specific infrastructure, brands, identities, technologies, and operational systems. This enables defenders to identify high-risk exposure early and understand the broader attack paths available to threat actors.

Security for a Changing Threat Environment

Healthcare organizations increasingly operate at the intersection of critical patient care and highly interconnected digital infrastructure. As cloud adoption, AI integration, SaaS expansion, and third-party connectivity continue to grow, the healthcare attack surface expands far beyond traditional hospital networks. High-quality CTI plays a critical role in helping defenders understand and reduce these risks by providing visibility into external exposure, attacker behavior, leaked credentials, supply chain weaknesses, and emerging threats targeting healthcare environments.

Modern healthcare defense is no longer only about preventing ransomware or protecting isolated systems. It increasingly depends on understanding how attackers exploit identities, cloud environments, software supply chains, exposed secrets, and trusted integrations across complex healthcare ecosystems. Organizations that continuously monitor these exposure points are significantly better positioned to detect threats early, reduce blast radius, and improve resilience across modern healthcare infrastructure.

Identity-First Threat Intelligence for Healthcare

Close the Visibility Gap Where Healthcare Secrets Leak

Flare combines threat intelligence data, identity intelligence, and AI-driven workflows for detection through remediation across your external attack surface.

Start Your Free Trial

Share article

Related Content

View All
07.02.2026

$4 Social Security Numbers on the Dark Web Carry 30 Year Sentences: The Stolen Data Courts Punish the Most Severely

06.24.2026

The ABCs of CTI TCO

06.23.2026

6 Key Findings from the SANS CTI Survey: How to Build Influence with CTI