On September 6, 2024, Confidant Health’s unsecured database was discovered by a security researcher exposing highly sensitive information that includes therapy recordings and transcripts.
Jeremiah Fowler, an ethical security researcher, discovered a data exposure linked to Confidant Health, a virtual medical provider operating in states like Connecticut and Florida. Fowler found an unsecured database containing 5.3 terabytes of sensitive patient data including audio and video therapy sessions, transcripts, medical histories, and personally identifiable information (PII). The database housed over 120,000 files and 1.7 million activity logs. Fowler alerted Confidant Health to exposure and the company has restricted access to the database.
According to Fowler in VPNMentor, “I saw documents indicating psychotherapy intake notes and psychosocial assessments that provided details about mental health or substance abuse, touching upon the patients’ family issues, psychiatric history, trauma history, medical conditions, and additional diagnoses. I also saw references to audio and video recordings of the sessions and text transcripts…”
Fowler discusses the particular sensitivity of the data exposed and how it can be used by threat actors. One section is dedicated to discussing the potential value of health data on the internet (starting at $1,000). There is also the matter of how the exposure of patient data leaves patients open to financial repercussions. Threat actors can often ransom the same information to patients. This is especially the case if it contains diagnosis and mental health information like the information accessible in the Confidant health case.
Related: HIPAA Compliant Email: The Definitive Guide
A digital storage that is equivalent to 1,000 gigabytes.
A person or entity responsible for carrying out a malicious activity.
A data storage system that lacks sufficient security measures to prevent unauthorized access.