Unsecured database exposes therapy records from mental health firm

A security breach has exposed the health details of thousands of individuals seeking mental health and addiction treatment services.

What happened

Security researcher Jeremiah Fowler uncovered over 120,000 files (totaling 5.3 TB) and 1.7 million activity logs in an unsecured database linked to virtual medical provider Confidant Health. The cache of information included personal details about patients, such as psychiatry intake notes, medical histories, and even audio/video recordings of therapy sessions.

Confidant Health, which operates across five U.S. states, provides services for alcohol and drug addiction recovery, as well as mental health treatments. The company quickly shut off access to the exposed database after being notified by Fowler, stating that the issue was resolved in less than an hour. However, the company acknowledged that a "small subset of files (less than 1% of the total files)" could be openly accessed during this time, including documents such as faxes and synthetic training data.

Going deeper

The exposed data contained a wide range of private and confidential information. One seven-page psychiatry intake file, for instance, detailed a patient's issues with alcohol and substance abuse, including their claim to have taken small amounts of narcotics from a deceased family member's hospice supply. Another document revealed a mother's description of the contentious relationship between her husband and son, including an accusation of sexual abuse while the son was using stimulants.

In addition to the sensitive medical files, the exposed database also contained administrative and verification documents, such as copies of driver's licenses, ID cards, and insurance cards. Logs within the database even suggested the collection of data by chatbots or artificial intelligence, with references to prompts and AI responses.

What was said

Confidant Health's cofounder, Jon Read, acknowledged the security concerns and stated that the company takes such issues seriously. He claimed the company conducted a security audit with external experts and found no evidence of malicious actors accessing patient records or external chatbots/AI interacting with the data. Read also stated that the patients whose information was accessed by non-clinical staff have been informed.

Jeremiah Fowler, the security researcher who uncovered the breach, described the exposed data as "heartbreaking" and "really painful," akin to having one's "deepest, darkest secrets" revealed. He noted that while the database contained locked and unlocked files, it was unusual to see such a mix in an exposed database.

Why it matters

As companies like Confidant Health expand their services to newer areas, such as therapy, the volume and sensitivity of breached data naturally increase, raising the risks associated with data loss, including financial, medical, and reputational damages to patients.

The breach at Confidant Health is a wake-up call for the healthcare industry, particularly for firms offering new services or experiencing rapid growth. Protecting sensitive patient data must be a core component of any such business, as there are consequences to a security lapse.

What we can learn

The breach at Confidant Health indicates how fundamental it is for organizations to take data security seriously, especially as they expand and adopt new technologies. Here are some takeaways and recommendations:

• Make data security a priority: Protecting sensitive information should be a top concern for every healthcare organization. Regular security audits and checks can help spot vulnerabilities before they lead to bigger issues.
• Control who sees what: Only those who need to see patient information should have access, and it’s necessary to review these permissions regularly.
• Educate your team: Everyone in the organization should know how to recognize potential threats and understand why protecting patient information matters.
• Encrypt sensitive data: Using encryption for data at rest and in transit can strengthen your security. It adds an important layer of protection against unauthorized access.
• Have a plan for breaches: Organizations should have a clear response plan for when a data breach occurs. The plan should outline how to contain the situation and how to communicate with those affected.
• Vet third-party vendors: If your organization works with outside vendors, ensure they follow strict security practices. Knowing that your partners are committed to protecting patient data is beneficial.
• Be transparent: If a breach occurs, you must be open with those affected. Informing them about what happened and what steps are being taken can help rebuild trust.
• Keep an eye on data access: Regular monitoring of who accesses sensitive data can help catch unauthorized attempts early on. Setting up alerts for suspicious activity can streamline this process.

FAQs

What is a data breach?

A data breach is an incident where sensitive, protected, or confidential data is accessed, disclosed, or stolen by unauthorized individuals. This can include personal information such as names, social security numbers, credit card details, and medical records. Data breaches can occur through various means, such as hacking, malware attacks, insider threats, or inadequate security measures.

Can legal action result from a data breach?

Yes, legal action can result from a data breach, as affected individuals or organizations may sue for damages caused by the breach.

How can healthcare organizations prevent data breaches?

Healthcare organizations can reduce the risk of data breaches by implementing strong cybersecurity measures, conducting regular employee security training, and using encryption to protect sensitive data. 

What should a healthcare organization do immediately after discovering a data breach?

Upon discovering a data breach, a healthcare organization should contain the breach, assess the scope of the impact, notify affected individuals and relevant authorities, and begin an investigation to understand how the breach occurred and how to prevent future incidents.