DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Exclusive: More than 90,000 patient billing files from an alcohol and drug addiction treatment network exposed online

Posted on November 14, 2019 by Dissent

Update:  On December 2, Sunshine Behavioral Health reported this incident to HHS as impacting 3500 patients. They also ticked the box for Business Associate.  

Update 2:  On January 23, 2020, ID Experts submitted a copy of their notification to patients to the Vermont Attorney General’s Office.


Another day, another leak. In this case, an error exposed some personal and financial information of patients treated for alcohol or drug addiction. 

Sunshine Behavioral Health, LLC is a private network of drug and alcohol addiction treatment facilities with locations in California, Texas, and Colorado. At some time as yet unknown to DataBreaches.net, approximately 93,000 patient files related to billings for patients at their Monarch Shore, Chapters Capistrano, and Willow Springs Recovery facilities were exposed online due to a misconfiguration of an Amazon AWS s3 bucket.  DataBreaches.net notes that the approximately 93,000 files did not represent 90,000 unique patients, as for many patients, there was more than one file, and not all files were actual files (some appeared to be templates or test data).

The leak was discovered in August by someone who shared the exposed data with DataBreaches.net. After verifying that the data were exposed, this blogger called Sunshine Behavioral Health on September 4 to alert them to the exposed data.

The employee who took the call said he understood that he needed to pass along the message immediately to their infosecurity people, but the files were still unsecured the next day. So DataBreaches.net called them again. This time, I was told that the employee I had spoken with the previous day was not there at the time, and I was asked to call back. I may or may not have hollered at that point, but  I did tell the employee who had answered the phone that I wouldn’t call back again, and they needed to have someone in charge of patient privacy or data security call me back promptly.

Stephen VanHooser, their Director of Compliance, returned my call. He claimed he knew nothing about my phone call to them the previous day, so I have no idea what the first employee did, if anything.  But after I spoke with VanHooser, access to the bucket was disabled.

Sunshine Behavioral never got back to me to tell me the results of any investigation or what they were doing in response to the incident. And there has been nothing on their website, the California Attorney General’s website, or HHS’s public breach tool, even thought it is more than 70 days since they were first notified or discovered the exposure.

Did Sunshine Behavioral Health ever notify HHS OCR or any patients or state regulators?  Did they investigate and determine that notification was not required? Do they know how many people might be in possession of a copy of all those files? DataBreaches.net does not know the answer to those questions.

But in trying to follow up to see what they had done, I realized that the  files were still accessible without any password required if you knew where to look. And anyone who had downloaded the urls of the files in the bucket while the bucket was exposed would know where to look (I realize this is true for these situations in general and it is not unique to Sunshine Behavioral Health).

Many of the files in the exposed bucket contained patients’ first and last names. Screenshot of partial listing of files concerning patients at Chapters Capistrano facility redacted by DataBreaches.net.
Some of the files related to patients at Willow Springs Recovery were past due notices containing the patient’s name, insurance carrier and policy number, and amount past due. Other files also contained the patient’s postal address and email address.  Screenshot redacted by DataBreaches.net .

On November 10, I sent VanHooser an email notification that the files were still not secure. I also asked what Sunshine had found after they investigated my September 4 notification and I asked whether they had notified any regulators or patients.

Getting no response at all, I sent a second email to him on November 12. He has not responded, but it appears access to the files has been disabled.

So what was in the unencrypted files? They generally did not contain treatment or medical history records, although a few do contain diagnostic codes, treatment codes, or reference to “detox.” For the most part, though, they were billing statements or correspondence concerning unpaid bills for some patients treated between 2016 and this year. The screenshots above show two of a number of types of files in the exposed bucket. Files revealed the following kinds of patient information:

  • full name
  • date of birth
  • postal and email addresses
  • telephone numbers
  • full credit card numbers with expiration dates (month/year) and full CVV code
  • health insurance membership number, account number, statements concerning insurance benefits, and amounts due and paid.

Not all patients had all of those data types exposed.

Because Sunshine Behavioral Health did not respond to queries, DataBreaches.net sent inquiries to some patients whose data was exposed to ask if they were ever notified of the exposure incident. So far, out of the small sample of patients, none of the emails have bounced back, but none of the patients have responded.

This post may be updated if more information is obtained. DataBreaches.net has not yet decided whether to report this incident to HHS OCR, but is reporting it here because Sunshine Behavioral Health has neither posted anything on their site nor informed this site whether they have made notifications to patients and/or regulators.

Correction: a previous version incorrectly stated that there were partial expiration dates for credit card numbers. Those were actually full expiration dates (month/year).

Category: Breach IncidentsCommentaries and AnalysesExposureHealth DataU.S.

Post navigation

← Medical supply firm notifies patients after phishing incident
TX: City of San Angelo investigating Click2Gov breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach
  • Oklahoma Expands its Security Breach Notification Law
  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.