Update: June 27, 2025

A recent data leak exposed 2.7 million patient profiles and 8.8 million appointment records. The database, licensed by MongoDB, was publicly accessible without any password or authentication protocols for an unspecified period.

Gargle is a HIPAA Business Associate

MongoDB has not confirmed which company owned the data, researchers believe it may have been Gargle. This Utah-based company specializes in building websites and providing marketing, SEO, and web development services for dental practices. The incident was caused by a misconfiguration within Gargle’s self-managed open-source database, licensed by MongoDB, and not by a breach of MongoDB’s systems or services.

Gargle is a HIPAA business associate if it has access to protected health information (PHI) held by its covered entity customers.

The types of PHI exposed included individuals’ names, dates of birth, email addresses, postal addresses, phone numbers, gender information, chart IDs, language preferences, billing details, and appointment records (including patient metadata, timestamps, and institutional references).

Researchers at Cybernews discovered the misconfigured database on March 26, 2025. It’s not clear how long the data remained open, but after being informed about the leak, the company secured the database.

Gargle also offers integrations for real-time scheduling, patient communication, payment processing, and online form submissions.

As Cybernews notes,

“All the services are critical touchpoints that, if not securely configured, can become entry points for attackers. It is likely that the exposed medical data may have leaked from internal infrastructure tied to these third-party services.”

HIPAA Breach Notification Requirements

If a business associate experiences a breach, it must inform each affected covered entity customer within 60 days of discovery. The breach must be also be reported to the Secretary of the U.S. Department of Health and Human Services (HHS), and breach notification letters must be sent to the affected individuals.

It is the responsibility of each affected covered entity to send notification letters to affected individuals within 60 days of learning about a breach at a business associate. However, the covered entity may delegate the responsibility for individual notifications to the business associate.

Health Data Breach Remains Unreported

As of today, there is no report on the HHS breach reporting tool that matches this event. Nor are there reports from dental providers in the time since the breach was discovered that appear to be related. The company whose data was exposed is likely still investigating to learn more about the incident before filing a report. Breach investigations can be complex and time consuming.

Although signs point to Gargle as the entity whose data was breached, Gargle’s website, as of today, does not contain a breach notice.

If an internal investigation uncovers that patient data was compromised, Gargle will likely post a notice on its website, and report it to HHS. Alternatively, it’s possible that each Gargle dental practice customer will file their own breach report to HHS.

Limit Risk With HIPAA Compliance

It’s common for healthcare providers to engage vendors to help them run their business. Whether for marketing, insurance reimbursement, billing, or collections, third-party vendors are essential in healthcare. From a HIPAA perspective, providers must must enter business associate agreements (BAA) with third-party vendors that “create, receive, maintain or transmit” PHI.

Conduct due diligence with the business associates.

• Do they follow HIPAA?
• Do they have HIPAA policies and procedures in place?
• Do they conduct HIPAA training with their workforce?
• Have they performed a HIPAA risk analysis?

After conducting due diligence, enter a BAA with them.

If the worst happens, and a breach occurs at the business associate, the BA’s responsibility remains their own, and the provider’s exposure is limited, provided it has maintained its own HIPAA compliance, and done a risk analysis. Business associates must answer to HHS for their own compliance.