Table of Contents
Is Dr. Ansay safe to use after the recent patient data leaks?
Dr. Ansay, a prominent online medical service provider, has suffered a second major data security incident within a two-year window. Following a breach in May 2024, a new vulnerability discovered in late 2025 exposed sensitive patient health data until early January 2026. This pattern suggests systemic issues regarding data governance and infrastructure security.
Technical Root Cause: Firebase Misconfiguration
The breach originated from an improperly secured Firebase Firestore database. This cloud-hosted NoSQL database relies on specific access rules to protect data. In this instance, the administrators failed to define strict permission boundaries.
Users logged in with a valid token could bypass intended restrictions. A user authenticated to view their own prescription could modify the request to retrieve records belonging to other patients. This type of vulnerability, known as Insecure Direct Object Reference (IDOR) or broken access control, allows unauthorized horizontal privilege escalation.
Scope of Exposed Data
The scale of the leak is significant, affecting approximately 500,000 customers and exposing 1.7 million prescription records. The compromised dataset qualifies as high-risk under GDPR classifications due to the medical nature of the content.
Exposed Personal Identifiable Information (PII):
- Full legal names
- Residential addresses
- Email addresses
- Telephone numbers
Exposed Medical and Operational Data:
- Cannabis prescriptions and dosage details
- Painkiller orders
- Physician data (approximately 15 doctors, mostly non-German based)
- Pharmacy selection preferences
Operational Negligence and Delayed Response
The handling of the incident raises serious questions about the provider’s incident response capabilities. Whistleblowers attempted to contact Dr. Ansay repeatedly in late 2025. The company failed to acknowledge these reports, attributing the silence to Christmas holidays.
The vulnerability remained active until Heise Online, a German technology news outlet, intervened in early January 2026. The database was secured only after this media inquiry. This delay left patient data exposed to the public internet for an extended period, increasing the risk of scraping and exploitation.
Regulatory and Legal Implications
Dr. Ansay operates as a limited company based in Malta. This jurisdiction complicates legal recourse for German patients. While the company serves the German market, the enforcement of data subject rights often faces bureaucratic hurdles when cross-border entities are involved.
GDPR Violations:
- Article 32 (Security of Processing): Failure to implement appropriate technical measures to ensure a level of security appropriate to the risk.
- Article 33 (Notification of a Personal Data Breach): It remains unclear if the Maltese data protection authority was notified within the mandatory 72-hour window.
- Article 34 (Communication to the Data Subject): There is no evidence that affected patients have been informed of the high risk to their rights and freedoms.
Risk Assessment for Users
The recurrence of security failures indicates that Dr. Ansay prioritizes rapid service deployment over security architecture. The May 2024 incident involved search engine indexing of PDF prescriptions; the 2025/2026 incident involved database access control failures.
Patients utilizing this platform for sensitive prescriptions, such as medical cannabis or lifestyle medication, face elevated privacy risks. The potential existence of this data on the darknet further compounds the threat of identity theft and social engineering attacks targeting patients’ medical history.