DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Online AI Mental Health and Addiction Treatment Provider Exposed Patient Data

Posted on September 6, 2024 by Dissent Doe

For your “no need to hack when it’s leaking” files:

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password-protected database that contained thousands of records belonging to Confidant Health — an AI-powered platform offering mental health and addiction treatment. The database contained patient PII, psychosocial assessments including details about mental health or substance abuse, ID cards, health insurance information, and more.

Jeremiah writes:

I recently discovered a trove of publicly exposed mental health and substance treatment records. Some of these documents contained the names and PII of the patients, counselors, and medical professionals. The patients’ records contained images of driver’s licenses, ID cards, insurance cards, medicaid cards, letters of care listing prescription medication, and medical record requests or waivers. The database also contained diagnostic drug tests indicating names, addresses, and test results for specific substances.

I saw documents indicating psychotherapy intake notes and psychosocial assessments that provided details about mental health or substance abuse, touching upon the patients’ family issues, psychiatric history, trauma history, medical conditions, and additional diagnoses. I also saw references to audio and video recordings of the sessions and text transcripts. These reports are highly detailed and discuss deeply personal family topics, disclosing names of children, parents, partners, and the nature of conflicts or other private issues.

Upon further research, it appeared that the documents belonged to Texas-based Confidant Health. The company provides services to residents of Connecticut, Florida, New Hampshire, Texas, and Virgina. I immediately sent a responsible disclosure notice, and public access to the documents was restricted within hours. I received a reply thanking me for the notification and saying that they would investigate. It is not known how long the documents were exposed or if anyone else may have gained access to the database. Only an internal forensic audit would be able to identify additional access or suspicious activity. It is also not known if the database was managed directly by Confidant Health or a third party.

Read more at VPN Mentor.

DataBreaches notes that Confidant Health is covered by HIPAA for the protected health information (PHI) it collects. So there’s an issue here of whether Confidant intends to report this exposure incident to HHS.

DataBreaches would also note that Jeremiah’s well-intended advice is not necessarily appropriate for health data. He writes, in part, “Companies that provide medical or telehealth services can protect client data and prevent exposure online by encrypting all sensitive files and restricting access. I recommend giving sensitive records, such as health data, a limited lifespan. ” Many, if not all, state laws mandate medical/health records be stored for a minimum number of years (in New York, for example, it’s six years but for minors, for three years past their 18th birthday). Federal regulations also specify records retention for Medicare providers, etc. And of course, patients have to be able to access their medical records on request. Yes, records not actively needed should be secured properly and with more restricted access, but they probably cannot have the kind of “limited lifespan” that data protectors might ideally want or recommend for routine retail data sets.

 

Category: ExposureHealth Data

Post navigation

← Russian military hackers linked to critical infrastructure attacks
Russian And Kazakhstani Men Indicted For Running WWH Club and Other Dark Web Criminal Marketplaces, Forums, And Trainings →

1 thought on “Online AI Mental Health and Addiction Treatment Provider Exposed Patient Data”

  1. Ron P says:
    September 7, 2024 at 2:15 pm

    It seems that I get letters and emails at least two or three times a month notifying me of my information having been compromised through another day to breach. Are data breaches this prevalent throughout all of the other advanced societies worldwide, such as Western Europe, Canada, Australia, etc?

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.