Millions of Medical Documents for Addiction and Recovery Patients Leaked

addiction rehab patient data leak

The information includes data on all rehab treatments and procedures, linked with patients’ names and other info.

As if wrestling with addiction and recovery weren’t difficult enough, tens of thousands of patients of a rehab clinic in Pennsylvania may find their personal information hijacked and manipulated by identity thieves or extortionists.

An ElasticSearch database that was left open to the internet exposed about 4.9 million data points of personally identifiable information (PII) related to individuals seeking treatment at the Steps to Recovery addiction treatment facility in Levitttown, Pa., which is located outside of Philadelphia.

“Given the stigma that surrounds addiction, this is almost certainly not information the patients want easily accessible,” said Justin Paine, director of trust and safety at Cloudflare, writing on his personal blog on Friday.

Paine discovered that the database, which wasn’t protected by any sort of authentication, contained data collected by the treatment facility between mid-2016 to late last year.

“Based on the patient name it was simple to locate all medical procedures a specific person received, when they received those procedures, how much they were billed, and at which specific facility they received treatment,” Paine explained.

In all, there are two indexes inside the database, containing 4.91 million documents (roughly 1.45GB of data). After collating and cross-referencing a section of the information, Paine found that a single patient ID could have multiple rows of data for different medical procedures.

“Based on a random sample of 5,000 rows of data from [one of the indexes], I observed 267 unique patients – or roughly 5.34 percent were unique,” he wrote. “Assuming this trend continues, that would suggest the database contained roughly 146,316 unique patients.”

The urgency of the exposure is further exacerbated by the amount of public information that one can dig up using a Google search.

Paine did just that, Googling the name of a patient and his hometown location. “After briefly reviewing just the freely available information though I could still tell you, with reasonably high confidence, the patient’s age, birthdate, address, past addresses, the names of the patient’s family members, their political affiliation, potential phone numbers and email addresses,” he said.

Clearly, this information, combined with the medical information in the database, is enough for any nefarious sort to put together very convincing spear-phishing emails, carry out identity theft, or even harass, blackmail or extort the patient, up to and including physical harassment.

“A leak of PII related to 146,316 unique patients would be bad on any day,” Paine said. “It’s particularly bad when it is something as sensitive as an addiction rehab center.”

This is just the latest in what has become an epidemic of misconfigured cloud databases. While there’s no evidence that a malicious adversary accessed the database, the fact that Paine happened to stumble upon it without trying should give anyone pause – there are cybercriminals that actively scan for these kinds of data treasure troves, after all.

Following notification, the hosting provider of the database locked down the information – though the rehab center hasn’t responded yet to Paine’s outreach.

“I initially notified Steps to Recovery regarding the data leak, but also notified the hosting provider given the sensitivity of the data,” Paine said. “To date I have not received any reply from Steps to Recovery, but the hosting provider notified their customer who then promptly took action to disable access to the database. It is unclear if Steps to Recovery took this action, or if someone may have been running this database on their behalf.”

Threatpost has also reached out to Steps to Recovery for comment and to find out whether it has informed patients about the data leak.

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.



Suggested articles

45 Million Medical Images Left Exposed Online

45 Million Medical Images Left Exposed Online

A six-month investigation by CybelAngel discovered unsecured sensitive patient data available for third parties to access for blackmail, fraud or other nefarious purposes.


  • shaikimam on

    Magnificent blog I visit this blog it's extremely wonderful. Interestingly, in this blog content composed plainly and reasonable. The substance of data is useful.
  • Martin G on

    Your article is completely false. I guess five minutes of research isn’t worth ngf
    • Tara Seals on

      You probably want to direct your complaint to the researcher: I also reached out to the recovery center to get their side of the story and they never responded. Please do let us know what the researcher got wrong, and how you know this. Thanks!
  • Martin G. on

    1. the facility has only been open a few years and its factually impossible to have millions of patients at a small outpatient center. 2. There’s no reason to even go into all the other facts because it’s clearly false. Just because someone writes about something and makes a statement means its true and it gets re-written as fact? A close friend of mine has been working there for a couple years.
    • Tara Seals on

      Cloud database misconfigurations happen all the time-- they're entirely avoidable, which is why we report on them. The article doesn't say that millions of patients were affected. It says that 146,316 unique patients were affected, representing millions of data points. Many times smaller organizations have trouble properly configuring their databases because of a lack of IT resources -- it's just the way it is. Nonetheless, they have a HUGE responsibility, especially in this case, to protect their patient information. I reached out to the center on Twitter and got crickets back -- if they want to say that the researcher's find is completely false, I would be happy to update the story with their official statement.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.