[BreachExchange] Patient names, treatments leak among millions of rehab records

[Destry Winant]

https://www.cnet.com/news/patient-names-treatments-leak-among-millions-of-rehab-records/

It's some of the most sensitive medical information a person could
have. Records for potentially tens of thousands of patients seeking
treatment at several addiction rehabilitation centers were exposed in
an unsecured online database, an independent researcher revealed
Friday.

The 4.91 million records included patients' names, as well as details
of the treatments they received, according to Justin Paine, the
researcher. Each patient had multiple records in the database, and
Paine estimates that the records may cover about 145,000 patients.

Paine notified the main treatment center, as well as the website
hosting company, when he discovered the database. The data has since
been made unavailable to the public. Paine found the data by typing
keywords into the Shodan search engine that indexes servers and other
devices that connect to the internet.

"Given the stigma that surrounds addiction this is almost certainly
not information the patients want easily accessible," Paine said in a
blog post that he shared with CNET ahead of publication. Paine hunts
for unsecured databases in his free time. His day job is head of trust
and safety at web security company Cloudflare.

The find is the latest example of a widespread problem: Any
organization can easily store customer data on cloud-based services
now, but few have the expertise to set them up securely. As a result,
countless unsecured databases sit online and can be found by anyone
with a few search skills. Many of those databases are full of
sensitive personal data.

A leak of health care data is a significant problem that can trigger
requirements under federal law to notify patients of the problem.
Paine said he has no indication that patients have been notified of
the database exposure and that Steps to Recovery, the Pennsylvania
rehab center whose data makes up the bulk of the leak, didn't respond
to his messages telling them of the exposure.

Steps to Recovery Chief Operating Officer Cory Cooper told CNET on
Friday the company is bringing in a cybersecurity firm to investigate.
The company will notify patients if the investigation finds there was
a breach that requires it, he said.

"We take the security and confidentiality of our patient records very
seriously," Cooper said.

Another rehabilitation center named in the data, Ohio Addiction
Recovery Center, didn't respond to a request for comment from CNET.
Cooper said the Ohio facility isn't associated with Steps to Recovery.

Paine said he could find further identifying information, like a
patient's age, birth date, address and family members, just by
searching their name and probable location. He said there's no
indication that hackers accessed the data.

"I found this data leak purely by accident, but a malicious person
could have also found this same data, and potentially used it as part
of identity theft," Paine said.

Medical identity theft is a common form of fraud in which someone uses
another person's name and insurance information to receive health
care. Sometimes this fraud happens on a much larger scale. In 2010,
federal investigators charged a group of people with setting up more
than 100 fake clinics and billing insurance companies for fake
services with stolen patient and doctor records.

But identity theft isn't the only risk to rehab patients whose data is
exposed online, said Eva Velasquez, executive director of the Identity
Theft Resource Center. The loss of privacy and potential impact on a
patient's reputation is just as important.

"It speaks to the mindset that any entity has to adopt when it comes
to the data they collect and how they protect it," Velasquez said.