A misconfigured AWS S3 storage bucket owned by Sunshine Behavioral Health, LLC, a network of drug and alcohol addiction rehabilitation centers based in San Juan Capistrano, CA resulted in the compromise of sensitive patient data.
The report of the misconfigured AWS S3 bucket was first received in August 2019 by databreaches.net. Databreaches.net contacted Sunshine Behavioral Health, which secured the bucket immediately. The report of data exposure was not submitted to the HHS’ Office for Civil Rights. The California Attorney General’s website has not published the breach report yet. The Sunshine Behavioral Health website did not mention the breach either, although it has been over 60 days after Sunshine Behavioral Health knew about the breach.
Databreaches.net reviewed the breach in November and found that files remained exposed. The PDF file URLs included in the bucket remain available and may be viewed even by anyone without a password. In case the URLs were taken at the same time the bucket was compromised, the URLs of the PDF files of 93,000 patients might have been viewed and downloaded.
As per Dissent, the files do not match the 93,000 patients. Certain patients had several files and a number of the files seemed to have test results or templates. Additional contact was done with Sunshine Behavioral Health, however, no reply was given, although the email was read as the URLs are no longer accessible.
The exact number of patients affected, the time when the files were exposed on the internet, and the unauthorized people during that time are unknown as of the moment. The files were mainly billing records, containing the following information: complete names, birth dates, postal addresses, email addresses, phone numbers, complete credit card numbers, expiry date, full CVV codes, and medical insurance data.