Security & Privacy Portal

Technical Investigation Report: Third-Party Marketing Integration Disclosure
Incident ID: INC-2026-002 | Status: Contained & Remediated | Last Updated: February 5, 2026, 12:00 PM IST

Executive Summary:
On February 4, 2026, Aidoc was notified of a security disclosure involving a third-party marketing script, Warmly, used exclusively on our corporate marketing website (www.aidoc.com). The report claimed that production credentials for the vendor’s systems were visible in client-side JavaScript code.

Our investigation confirmed that no Aidoc clinical systems, patient data, PHI, or any customer data were impacted. While the specific plugin code mentioned in the disclosure may appear unusual to an outside observer, it is a known state that is secure by design. The API keys exposed in this plugin’s code do not enable any read operations on Aidoc’s databases, nor any exploits that could. In addition, the marketing environment is strictly isolated from our FDA-cleared AI platform and production, medical environments.

Incident Timeline (UTC)

2026-02-04 17:34 - Initial email received from an external researcher.
2026-02-04 17:53 - Security team alerted; incident response initiated.
2026-02-04 18:20 - Containment: Warmly script removed from the Aidoc marketing website.
2026-02-04 19:00 - Forensic review of HubSpot and Salesforce integrations began.
2026-02-04 22:26 - Initial proactive disclosure sent to partners and stakeholders.
2026-02-05 09:30 - Technical audit of all remaining website plugins completed.

Technical Root Cause:
Following a detailed review of the vendor’s administrative interface and integration documentation, it has been confirmed that the "exposed" keys (e.g., ClientID and Public API tokens) are intended to be public-facing by design. As evidenced by the vendor's official onboarding instructions, these scripts are architected to reside in the client-side HTML to enable browser-to-cloud communication. These are restricted, low-privilege tokens that do not grant access to backend databases or administrative functions. Consequently, this report classifies the initial disclosure as a False Positive regarding actual vulnerability, as the observed state is a functional requirement of the Warmly service.

Impact Assessment:
Based on our forensic review and log analysis of the third-party marketing script Warmly, we can confirm that no Aidoc clinical systems, patient data (PHI), or any customer data were read by Warmly. Our investigation and log analysis confirmed that the "exposed" keys were generic, public-facing tokens with restricted, low-privilege access, as designed by the vendor, and they do not grant access to our backend databases or administrative functions. The marketing environment is strictly isolated from our FDA-cleared AI platform and production medical systems. Our internal logs further confirm that no suspicious activity or unauthorized access to Aidoc-managed databases occurred, leading us to classify the initial disclosure as a False Positive. Therefore, our customers and partners can rest assured that their data remains secure, and no action is required on their part.

Actions Taken & Remediation:

• Isolation: Immediately deactivated and removed the third-party script from our CMS, until our team finishes looking into the disclosure details.
• Access Revocation: Temporarily suspended OAuth integrations between the vendor and our marketing/sales tools (HubSpot and Salesforce).
• Forensic Investigation: Conducted a comprehensive log review, which confirmed that no data was read from our CRM by the vendor during the period of exposure.
• Review of Warmly’s integration and service: Conducted a review of Warmly’s integration APIs to verify the “exposed” API keys are indeed low privilege and secure by design.
• Review of the sender and the original email: The sender identifies as Cyrus Massoumi - an experienced tech entrepreneur. The real Massoumi’s domain is cyrusmassoumi.com (registered since 2001), while the sender used massoumicyrus.com (registered 2016, used mostly starting 2025).

What This Means for You:
No action is required from our customers or partners. Your data remains secure, and our clinical services continue to operate without interruption. We maintain a "defense-in-depth" strategy, ensuring that even a weakness in a peripheral third-party tool cannot compromise our core healthcare mission.

For further inquiries, please contact the Aidoc Security Team at security@aidoc.com.

On Feb 4, 2026 we received an email by a self-described security researcher concerning Aidoc’s website, which claims to disclose a vulnerability.

Please note: The marketing website environment is strictly isolated from Aidoc’s clinical and production environments. Aidoc’s core systems have not been impacted.
Upon receiving the notification, our Security and Incident Response teams conducted an immediate review. We wish to share the following findings:

• Clinical Systems Are Secure: The report concerns a third-party marketing plugin (Warmly) used exclusively on our marketing website (aidoc.com). This environment is architecturally and logically separated from Aidoc’s clinical AI platform, hospital data integrations, and production medical environments.
• Third-Party Credentials: The associated API keys identified in the report are not Aidoc’s internal credentials. Instead, they are generic keys inherent to the third-party marketing tool’s deployment. No Aidoc-managed databases or internal systems were directly accessible via these keys.
• No PHI Exposure: Because our medical platforms and patient data do not reside on or connect to our marketing website infrastructure, there has been no compromise of Protected Health Information (PHI) or patient clinical data.
• Vendor Remediation: Out of an abundance of caution, we have temporarily removed the third-party integration from our marketing website. Until we finish looking into this thoroughly, the code in question is not being served. We have performed a comprehensive review and confirm that no internal services, production databases, or patient information were at risk.

Our Commitment: Security is the foundation of our work in healthcare. While this report was external to our core platforms and had no impact on production data or services, we take every report seriously and are thoroughly looking into this disclosure.

If you have any questions, please do not hesitate to reach out to us directly at security@aidoc.com. Thank you for your continued trust in Aidoc.

The Aidoc Security Team