The highly sensitive data of patients who had received treatment at addiction rehabilitation centers were discovered to be publicly accessible online because of an unsecured database. There were around 4.91 million records in the database, which are associated with the estimated 145,000 patients of Steps to Recovery, an addiction rehabilitation service provider located in Levittown, PA.
Justin Paine, the Director of Trust and Safety at Cloudflare, discovered the unsecured database on March 24, 2019. Paine informed Steps to Recovery and the hosting company immediately about the breach. Steps to Recovery made no reply, but the hosting company replied and secured the database, which is now no longer accessible over the internet.
Paine identified unsecured databases and devices by searching on the Shodan search engine. As per Paine, the ElasticSearch database comprised two indexes that contain over 1.45 GB of information. Anyone can access the information over the internet without having to use any authentication. The database was open on the web for over two years, from mid 2016 to the end of year 2018.
The database contained information, such as patients’ names, particulars of the treatments and services that patients acquired at Steps to Recovery, the dates when the services were obtained, locations frequented by patients, and billing details.
Paine additionally got more information about the patients by doing simple Google searches utilizing the information found in the database. For a limited number of patients, Paine stumbled on information like ages, birth dates, email addresses, and contact phone numbers.
Steps to Recovery has not confirmed yet how many patients were impacted by the breach. The Department of Health and Human Services’ Office for Civil Rights has not posted the incident yet on its breach portal. There is no information whether other people accessed the unsecured database online.