Cybersecurity researcher Jeremiah Fowler recently discovered an exposed healthcare database. The 5.7 TB mental health and substance abuse treatment data stored in the database were accessible online without any password protection. Researcher Fowler tracked the database and found that it belongs to Confidant Health. This Austin, TX-based firm provides an AI-driven system that finds psychiatrists, therapists, and addiction treatment providers for Connecticut, New Hampshire, Florida, Texas, and Virginia patients.
Fowler discovered approximately 126,000 files and 1.7 million logs in the database that contained patients, healthcare specialists, and therapists’ personally identifiable information. The data exposed included names, addresses, state IDs, driver’s license details, Medicaid cards, prescription drugs, health records, drug test data for specific substances, and text transcripts and audio recordings of therapy sessions. The data maintained by Confidant Health were associated with the following services it provides: alcohol rehab, an online suboxone clinic, pre-addiction treatment, behavior change, opioid withdrawal management, a recovery coach, and medication-aided treatment.
The breach of sensitive patient information presents a threat to privacy and may bring about several negative outcomes, such as identity theft, extortion, and blackmail. Criminals could misuse this data to open fake accounts, submit bogus insurance claims, or intimidate patients by threatening to disclose their mental health details and take advantage of their vulnerabilities.
A few hours after Fowler informed Confidant Health regarding the data breach, the company restricted access to the database. The duration of data exposure is unknown. It is also unclear if the breach is due to unauthorized access by individuals. There is no information about the nature of the database, whether Confidant Health or a third-party company maintained it. Confidant Health is a registered HIPAA-covered entity that has a HIPAA Seal of Compliance. The data breach report was not yet posted on the HHS Office for Civil Rights breach portal.