Medical details of around 150,000 rehab patients in the open

News by Rene Millman

Medical details of around 150,000 rehab patients in the open

A security researcher has discovered an improperly secured ElasticSearch database that contained personally identifiable information (PII) related to individuals who had received medical treatment at an addiction treatment centre in the US.

The data was found by Cloudflare director of Trust and Safety Justin Paine while looking for unprotected internet-enabled devices using Shodan.

He said that the data appears to cover patient data from mid 2016 - late 2018 and amounts to roughly 4.9 million rows of data.

Paine added that based on the name of the database and additional information in the database it appears this was patient data from Steps to Recovery, an addiction treatment centre located in Levittown, PA, US. He said that he notified Steps To Recovery regarding the data leak, but also notified the hosting provider given the sensitivity of the data.

"To date I have not received any reply from Steps To Recovery, but the hosting provider notified their customer who then promptly took action to disable access to the database. It is unclear if Steps To Recovery took this action, or if someone may have been running this database on their behalf," said Paine in a blog post.

The researcher said that a leak of PII related to 146,316 unique patients would be bad on any day.

"It's particularly bad when it is something as sensitive as a addiction rehab center. Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible," said Paine.

He added that a malicious user would be able to locate all medical procedures a specific person received, when they received those procedures, how much they were billed, and at which specific facility they received treatment.

"If you search on Google for the patient name and in the example included above "Ohio" where the addiction recovery center was located it becomes trivial to locate more information about this patient," he said.

"After briefly reviewing just the freely available information though I could still tell you, with reasonably high confidence, the patient's age, birthdate, address, past addresses, the names of the patient's family members, their political affiliation, potential phone numbers and email addresses," said Paine.

He added that he found this data leak purely by accident, "but a malicious person could have also found this same data, and potentially used it as part of identity theft."

Tim Mackey, senior technical evangelist at Synopsys, told SC Media UK that misconfigured databases are a recurring security theme, but one which is easily preventable through automated checks.

"Public access to a raw database is rarely the correct configuration but is one which can facilitate debug activities by developers and support teams. If that is the case here, the engineering leadership within the development team should look hard at alternatives other than having public access, even through logins, for any database containing PHI," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop