The leaks are never-ending; but naturally, some are more sensitive than others.
Some 145,000 patients have had their protected health information exposed in what is only the latest of many major leaks of sensitive medical records in recent years, according to security researcher Justin Paine, director of trust and safety at Cloudflare.
In a post on his personal blog on Friday (first reported on by CNET), Paine said that he unearthed a wealth of personally identifiable information that was left publicly exposed by an addiction recovery treatment center. In total, some 4.91 million documents were accessible to virtually anyone who knew where to look.
The files both identified the patients and the types of treatment they’d received, he said.
Paine identified the source of the exposure as Steps To Recovery, a clinic based in Levittown, Pennsylvania. Gizmodo has not reviewed the data itself; however, Paine wrote that it was secured after he reached out to the clinic. Steps to Recovery did not immediately respond to a request for comment.
“Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible,” said Paine, who reported discovering the files using Shodan, a search engine popular among security shops because it automatically indexes servers and other devices connected to the internet.
He also said additional information about patients was easy to come by using Google. For one randomly selected patient, Paine managed to acquire their age, birthdate, address, and names of family members, along with potential phone numbers and email addresses where they could be reached.
“The names of the two indices suggest this database was being used for billing purposes,” said data breach hunter Greg Pollock, vice president of product at UpGuard, a California-based security firm. “It’s common to see personal information treated less carefully when it’s thought of as belonging to a business function where information security is less of a concern (like billing) rather than a function where security measures are front of mind (like storing personal health information).”
“There’s no such thing as metadata,” he added. “Metadata about people seeking medical services is medical data.”
Jonathan Cran, head of Research at Kenna Security, said news of the leak came as no surprise, calling it just the latest example of such negligence. “As a result of the highly sensitive nature of the data, this breach exposes patients to blackmail, embarrassment, and possibly puts their livelihood or personal relationships at risk,” he warned.
Gizmodo has previously reported on similar exposures in the medical industry. In 2017, for example, a trove of tens of thousands of hospital records leaked online; including social security numbers and records of medical diagnoses and treatments. The records belonged to patients of Bronx-Lebanon Hospital Center in New York, were exposed by a third-party, a medical IT company.
Later that year, an estimated 150,000 patients were exposed after a home-monitoring company left their personal information, including diagnoses and test results, unsecured.
“We have seen firsthand that the healthcare industry struggles with basic security practices,” Cran said.
Paine said he hopes Steps to Recovery will soon acknowledge the breach and take steps to promptly notify its patients, though he added that roughly a month had already gone by.
“I found this data leak purely by accident, but a malicious person could have also found this same data, and potentially used it as part of identity theft,” he said.