For your “no need to hack when it’s leaking” files:
Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password-protected database that contained thousands of records belonging to Confidant Health — an AI-powered platform offering mental health and addiction treatment. The database contained patient PII, psychosocial assessments including details about mental health or substance abuse, ID cards, health insurance information, and more.
Jeremiah writes:
I recently discovered a trove of publicly exposed mental health and substance treatment records. Some of these documents contained the names and PII of the patients, counselors, and medical professionals. The patients’ records contained images of driver’s licenses, ID cards, insurance cards, medicaid cards, letters of care listing prescription medication, and medical record requests or waivers. The database also contained diagnostic drug tests indicating names, addresses, and test results for specific substances.
I saw documents indicating psychotherapy intake notes and psychosocial assessments that provided details about mental health or substance abuse, touching upon the patients’ family issues, psychiatric history, trauma history, medical conditions, and additional diagnoses. I also saw references to audio and video recordings of the sessions and text transcripts. These reports are highly detailed and discuss deeply personal family topics, disclosing names of children, parents, partners, and the nature of conflicts or other private issues.
Upon further research, it appeared that the documents belonged to Texas-based Confidant Health. The company provides services to residents of Connecticut, Florida, New Hampshire, Texas, and Virgina. I immediately sent a responsible disclosure notice, and public access to the documents was restricted within hours. I received a reply thanking me for the notification and saying that they would investigate. It is not known how long the documents were exposed or if anyone else may have gained access to the database. Only an internal forensic audit would be able to identify additional access or suspicious activity. It is also not known if the database was managed directly by Confidant Health or a third party.
Read more at VPN Mentor.
DataBreaches notes that Confidant Health is covered by HIPAA for the protected health information (PHI) it collects. So there’s an issue here of whether Confidant intends to report this exposure incident to HHS.
DataBreaches would also note that Jeremiah’s well-intended advice is not necessarily appropriate for health data. He writes, in part, “Companies that provide medical or telehealth services can protect client data and prevent exposure online by encrypting all sensitive files and restricting access. I recommend giving sensitive records, such as health data, a limited lifespan. ” Many, if not all, state laws mandate medical/health records be stored for a minimum number of years (in New York, for example, it’s six years but for minors, for three years past their 18th birthday). Federal regulations also specify records retention for Medicare providers, etc. And of course, patients have to be able to access their medical records on request. Yes, records not actively needed should be secured properly and with more restricted access, but they probably cannot have the kind of “limited lifespan” that data protectors might ideally want or recommend for routine retail data sets.
It seems that I get letters and emails at least two or three times a month notifying me of my information having been compromised through another day to breach. Are data breaches this prevalent throughout all of the other advanced societies worldwide, such as Western Europe, Canada, Australia, etc?