Governance & Risk Management , Multi-factor & Risk-based Authentication , Privacy
Mental Health Records Database Found Exposed on Web
Cyber Researcher Reported Findings to Virtual Care Provider; Data Now SecuredAn AI-powered virtual care provider's unsecured database allegedly exposed thousands of sensitive mental health and substance abuse treatment records between patients and their counselors on the internet - where they were available to anyone, said the security researcher who discovered the trove.
See Also: Conversational Cyber Insurance: How Cybersecurity and Cyber Insurance are Interwined
Although it is unclear how long the records were allegedly left exposed, Texas-based virtual care company Confidant Health secured the data within hours of hearing from security researcher Jeremiah Fowler, who notified the firm about his discovery. In total, the 5.3-terabyte database - unprotected by a password or any other form of authentication - contained 126,276 files, along with a separate folder holding 1.75 million logging records, he said.
Documents in the database included names and sensitive information of Confidant Health patients, counselors and medical professionals, Fowler said.
"The patients' records contained images of driver's licenses, ID cards, insurance cards, Medicaid cards, letters of care listing prescription medication, and medical record requests or waivers. The database also contained diagnostic drug tests indicating names, addresses and test results for specific substances," he said in a report issued Friday.
"I saw documents indicating psychotherapy intake notes and psychosocial assessments that provided details about mental health or substance abuse, touching upon the patients' family issues, psychiatric history, trauma history, medical conditions and additional diagnoses," he said.
Fowler said he saw references to audio and video recordings of the sessions and text transcripts covering "highly detailed and deeply personal family topics, disclosing names of children, parents, partners and the nature of conflicts."
Fowler, who is a researcher at security vendor vpnMentor and co-founder of security services firm Security Discovery, told Information Security Media Group he manually analyzed about 1,000 documents and estimated that about 60% of them were accessible.
"With such a large number of documents, the only way to know how many were exposed would have been to go through each one, and this would have taken a very long time and allowed those documents to be at risk longer, so I made the decision to report it as soon as possible," he said.
"Many of the patients have multiple documents so it is possible that perhaps one may have had some but not all records exposed on their specific files. The application has been downloaded at least 10,000 times on Android alone so I would say that is a baseline or minimum without counting iOS or direct users going to physical locations," he said.
The specific files that Fowler found "were accessible using nothing more than an internet browser and required no password or administrative credentials once you knew the file path or URL address," he told ISMG.
On its website, Confidant Health calls itself an "app-based hub of resources and real-life clinical providers" offering a range of services including alcohol rehab, online Suboxone clinic, pre-addiction treatment, addiction treatment, behavior change program, recovery coach, opioid withdrawal management, medication-assisted treatment.
The company also offers a Telehealth Addiction Recovery application that is available for iOS and Android.
Confidant Health did not immediately respond to ISMG's request for comment on Fowler's alleged discovery.
Common Mishaps?
Fowler said he knows why or how the Confidant Health files became exposed to the internet, but it isn't the first time he has discovered troves of unsecured health information. In a report issued in January, Fowler said he discovered an unsecured database appearing to belong to a Netherlands-based medical laboratory that exposed 1.3 million records on the internet, including COVID test results and other personally identifiable information.
Fowler said the data appeared to belong to Coronalab.eu, which is owned by Microbe & Lab, a medical laboratory based in Amsterdam (see: Medical Lab Database Exposed 1.3M Records, COVID Test Info).
"I recommend that healthcare providers conduct regular security audits of their network and storage environments," Fowler said. "Ensure that any third-party vendors or contractors also test their systems for vulnerabilities and that any additional software is up to date. There is no one-size-fits-all approach to cybersecurity, and with a patchwork of different systems for data collection and storage, it leaves plenty of room for gaps," he said.
"My advice would be to understand that patient data is equally as valuable as the services provided, and only by investing in data security and being proactive can entities avoid data incidents."