Patient names, treatments leak among millions of rehab records

CNET | 4/19/2019 | Laura Hautala
abbycraig (Posted by) Level 3
Click For Photo: https://cnet1.cbsistatic.com/img/MAZ9NAogkUwJJ9pJuhlPhBSMDCE=/756x567/2019/02/27/4702fb3f-c033-4830-8433-be58226f6831/cybersecurity-hacking-11.jpg

It's some of the most sensitive medical information a person could have. Records for potentially tens of thousands of patients seeking treatment at several addiction rehabilitation centers were exposed in an unsecured online database, an independent researcher revealed Friday.

The 4.91 million documents included patients' names, as well as details of the treatments they received, according to Justin Paine, the researcher. Each patient had multiple records in the database, and Paine estimates that the records may cover about 145,000 patients.

Paine - Treatment - Center - Website - Company

Paine notified the main treatment center, as well as the website hosting company, when he discovered the database. The data has since been made unavailable to the public. Paine found the data by typing keywords into the Shodan search engine that indexes servers and other devices that connect to the internet.

"Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible," Paine said in a blog post that he shared with CNET ahead of publication. Paine hunts for unsecured databases in his free time. His day job is head of trust and safety at web security company Cloudflare.

Find - Example - Problem - Organization - Customer

The find is the latest example of a widespread problem: Any organization can easily store customer data on cloud-based services now, but few have the expertise to set them up securely. As a result, countless unsecured databases sit online and can be found by anyone with a few search skills. Many of those databases are full of sensitive personal data.

A leak of health care data is a significant problem that can trigger requirements under federal law to notify patients of the problem. Paine said he has no indication that patients have been notified of the database exposure and that Steps to Recovery, the Pennsylvania rehab center whose data makes up the bulk of the leak, didn't respond...
(Excerpt) Read more at: CNET
Wake Up To Breaking News!
Have you forgotten?
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!