Researcher Identifies Exposed Database Containing Mental Health and Substance Abuse Treatment Information
A cybersecurity researcher has found an exposed healthcare database containing mental health and substance abuse treatment records that could be accessed via the Internet without a password.
Researcher Jeremiah Fowler traced the database to Confidant Health, an Austin, TX-based company that has an AI-powered platform that connects individuals with therapists, psychiatrists, and providers of addiction treatment services. The company serves individuals in the states of Connecticut, Florida, New Hampshire, Texas, and Virginia.
Fowler identified around 126,000 files and 1.7 million logging records, which included sensitive personally identifiable information of patients, therapists, and healthcare professionals. The exposed information included names, addresses, driver’s license information, state IDs, Medicaid cards, prescription medications, medical record requests, drug test results, and other health information. Audio recordings of sessions and text transcripts had also been exposed.
Fowler notified Confidant Health about the exposed data, was told that the incident would be investigated, and access to the database was restricted within a few hours. It is unclear for how long the data was exposed, whether it was accessed by unauthorized individuals, or if the database was managed by Confidant Health or a third party. Fowler has written about the discovery on VPNMentor. Confidant Health’s website suggests it is a HIPAA-covered entity and has received a HIPAA Seal of Compliance. At present, a data breach is not listed on the HHS’ Office for Civil Rights for Confidant Health.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Hospital Sisters Health System Provides Update on August 2023 Cyberattack
Hospital Sisters Health System in Springfield, IL, has provided an update on a cyberattack that impacted its hospital and clinic operations and most of its communication systems. Immediate action was taken to prevent further unauthorized access and to contain and remediate the incident, and a leading cybersecurity firm has been engaged to conduct a forensic investigation. The investigation has been completed and confirmed that its network was breached between August 16, 2023, and August 27, 2023. The file review has been time-intensive and is ongoing, and notification letters are being sent to the affected individuals on a rolling basis as files containing protected health information are identified.
Hospital Sisters said the types of data involved vary from individual to individual and may include names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, health insurance information, and limited medical and treatment information. Complimentary credit monitoring and identity theft protection services are being offered to individuals whose Social Security numbers and/or driver’s license numbers were potentially involved. Since the file review is ongoing, Hospital Sisters is unable to confirm how many individuals have been affected.
