DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Online AI Mental Health and Addiction Treatment Provider Exposed Patient Data

Posted on September 6, 2024 by Dissent Doe

For your “no need to hack when it’s leaking” files:

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password-protected database that contained thousands of records belonging to Confidant Health — an AI-powered platform offering mental health and addiction treatment. The database contained patient PII, psychosocial assessments including details about mental health or substance abuse, ID cards, health insurance information, and more.

Jeremiah writes:

I recently discovered a trove of publicly exposed mental health and substance treatment records. Some of these documents contained the names and PII of the patients, counselors, and medical professionals. The patients’ records contained images of driver’s licenses, ID cards, insurance cards, medicaid cards, letters of care listing prescription medication, and medical record requests or waivers. The database also contained diagnostic drug tests indicating names, addresses, and test results for specific substances.

I saw documents indicating psychotherapy intake notes and psychosocial assessments that provided details about mental health or substance abuse, touching upon the patients’ family issues, psychiatric history, trauma history, medical conditions, and additional diagnoses. I also saw references to audio and video recordings of the sessions and text transcripts. These reports are highly detailed and discuss deeply personal family topics, disclosing names of children, parents, partners, and the nature of conflicts or other private issues.

Upon further research, it appeared that the documents belonged to Texas-based Confidant Health. The company provides services to residents of Connecticut, Florida, New Hampshire, Texas, and Virgina. I immediately sent a responsible disclosure notice, and public access to the documents was restricted within hours. I received a reply thanking me for the notification and saying that they would investigate. It is not known how long the documents were exposed or if anyone else may have gained access to the database. Only an internal forensic audit would be able to identify additional access or suspicious activity. It is also not known if the database was managed directly by Confidant Health or a third party.

Read more at VPN Mentor.

DataBreaches notes that Confidant Health is covered by HIPAA for the protected health information (PHI) it collects. So there’s an issue here of whether Confidant intends to report this exposure incident to HHS.

DataBreaches would also note that Jeremiah’s well-intended advice is not necessarily appropriate for health data. He writes, in part, “Companies that provide medical or telehealth services can protect client data and prevent exposure online by encrypting all sensitive files and restricting access. I recommend giving sensitive records, such as health data, a limited lifespan. ” Many, if not all, state laws mandate medical/health records be stored for a minimum number of years (in New York, for example, it’s six years but for minors, for three years past their 18th birthday). Federal regulations also specify records retention for Medicare providers, etc. And of course, patients have to be able to access their medical records on request. Yes, records not actively needed should be secured properly and with more restricted access, but they probably cannot have the kind of “limited lifespan” that data protectors might ideally want or recommend for routine retail data sets.

 

Category: ExposureHealth Data

Post navigation

← Russian military hackers linked to critical infrastructure attacks
Russian And Kazakhstani Men Indicted For Running WWH Club and Other Dark Web Criminal Marketplaces, Forums, And Trainings →

1 thought on “Online AI Mental Health and Addiction Treatment Provider Exposed Patient Data”

  1. Ron P says:
    September 7, 2024 at 2:15 pm

    It seems that I get letters and emails at least two or three times a month notifying me of my information having been compromised through another day to breach. Are data breaches this prevalent throughout all of the other advanced societies worldwide, such as Western Europe, Canada, Australia, etc?

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.