OSINT at the Hospital ER

So New Year’s Eve, I had to go to the local hospital emergency room with a family member. If you’ve ever been to the ER, you know it’s a lot of waiting…waiting on doctors, tests, results, etc. Well, the place was packed so there was A LOT of waiting. Sitting in the room behind a curtain, I was listening to the sounds in the hallway. Quite clearly, I could hear a doctor discussing another patient that he had seen earlier. Whether he was dictating for reports or discharge, admission, or whatever, I could hear this doc loud and clear. So much for HIPAA.

I heard the patient’s last name including the spelling, his age, sex, and city of residence. I also got a detailed list of what he was in for, the tests that were ordered, and possible care for his ailments. Being bored as I was, I decided to have some fun and dig around to see what I could find. Armed only with my smart phone, I hit up my local Google search and started with a phrase match for the guy’s last name and city. BINGO! First thing to pop up was the patient’s Facebook page. Okay, so I still wasn’t 100% sure this was my guy. For all I know, there could have been another guy or relative with the same last name in that town, so I visited the Facebook page to see what I could find.

I logged in on a dummy Facebook account and low and behold, his posts and pictures were all PUBLIC! His photo was his profile picture and his family’s photo was his cover photo. His employment information was listed including when he started, that he’s still employed there, and what he does there. His high school and hometown were listed including when he graduated. His “About Me” section continued to list family members with links to their Facebook pages (his wife, his son, brother, and mother). I checked out his wall since his posts were all public and he CHECKED IN to the hospital earlier that day and was giving an updated play-by-play of what he was in for, his treatment, etc., complete with a selfie in a hospital gown!

Well, now I’m pretty sure I had my guy, but I could still, by extremely slim chance, be wrong, so I decided to continue my pursuit. Hey, I’m sitting in the same hospital just down the hall from him bored out of my mind. Back to Google, I checked out a few other links, but they all brought me back to the same guy. For the hell of it, I sent him a Facebook friend request from my dummy account. If this guy is so into posting everything publicly, he probably would accept. Now mind you, my dummy account has a fake picture, a few friends that I don’t even know who they are, and all kinds of fake information and posts to make it look legitimate. Within minutes, he accepted my friend request!

I was now able to see his date of birth, his address, his life events including when he got engaged, married, started work, etc. I viewed the types of music he likes, his favorite books, movies, and TV shows. Bored looking through the hundreds of photos he’s posted — everything from food, selfies, pets, family, events, etc., I headed back to Google and did an exact match search.

Well, still bored at the hospital — the doctor did stop in briefly, but now we’re back to waiting again, I decided to look up his employer’s information and see if there was a website. It’s a pretty unique company name and was pretty easy and quick to find with a broad match search. Browsing around, I found a link for searching for specific employees. Typing in his name, I found out he’s the only employee there with that name and it brought me to a page that had his employee photo (matched his Facebook profile photo) and listed his work e-mail address and phone number.

Back to Google, I decided to do an exact match search on Images to see what would come up, not that the hundreds or more photos on Facebook weren’t enough. There’s photos in the local newspaper from different events around town that he sang or performed at, but more or less repeats of the photos from his Facebook page.

Well, the doc came back in with results and discharge instructions for my family member so my hunting came to an end, but in the few hours I was sitting in the hospital with nothing to do, I was able to find an awful lot of information on this other patient without any special tools other than Google searches on my smart phone and a dummy Facebook account. I’m tempted to call or write this patient (now that I have all of his info) and tell him this entire story and warn him of the dangers of posting so much information publicly. Only by overhearing some very generic basic information from the doctor in the hall, I was able to obtain his name, date of birth, addresses, family members, employment, phone number, e-mail, etc. In addition, I’d warn him that by posting so much information publicly, I could call him with a vhishing scam, e-mail him with a phishing scam, or physically attack his residence (none of which I plan on doing), but as a warning to educate him on the dangers he faces by posting publicly.

Related posts:

You must remember that these reactions are not logical and fight them instead of justifying your behavior when they overwhelm you. So try to avoid these absurd reactions whenever you notice that...

Aaaaggggh! I recognize what you’re in all likelihood wondering. I’m now not suitable in front of the digicam so why need to I make any movies? I’ll simply appearance ridiculous and people might not…

As heard as a trending sound from the show 30 Rock, “I want to go to there” does not only sum up our thoughts about concerts and nostalgic moments of the past. It is a reminder at one in the morning…