As if wrestling with addiction and recovery weren’t difficult enough, tens of thousands of patients of a rehab clinic in Pennsylvania may find their personal information hijacked and manipulated by identity thieves or extortionists.
An ElasticSearch database that was left open to the internet exposed about 4.9 million data points of personally identifiable information (PII) related to individuals seeking treatment at the Steps to Recovery addiction treatment facility in Levitttown, Pa., which is located outside of Philadelphia.
“Given the stigma that surrounds addiction, this is almost certainly not information the patients want easily accessible,” said Justin Paine, director of trust and safety at Cloudflare, writing on his personal blog on Friday.
Paine discovered that the database, which wasn’t protected by any sort of authentication, contained data collected by the treatment facility between mid-2016 to late last year.
“Based on the patient name it was simple to locate all medical procedures a specific person received, when they received those procedures, how much they were billed, and at which specific facility they received treatment,” Paine explained.
In all, there are two indexes inside the database, containing 4.91 million documents (roughly 1.45GB of data). After collating and cross-referencing a section of the information, Paine found that a single patient ID could have multiple rows of data for different medical procedures.
“Based on a random sample of 5,000 rows of data from [one of the indexes], I observed 267 unique patients – or roughly 5.34 percent were unique,” he wrote. “Assuming this trend continues, that would suggest the database contained roughly 146,316 unique patients.”
The urgency of the exposure is further exacerbated by the amount of public information that one can dig up using a Google search.
Paine did just that, Googling the name of a patient and his hometown location. “After briefly reviewing just the freely available information though I could still tell you, with reasonably high confidence, the patient’s age, birthdate, address, past addresses, the names of the patient’s family members, their political affiliation, potential phone numbers and email addresses,” he said.
Clearly, this information, combined with the medical information in the database, is enough for any nefarious sort to put together very convincing spear-phishing emails, carry out identity theft, or even harass, blackmail or extort the patient, up to and including physical harassment.
“A leak of PII related to 146,316 unique patients would be bad on any day,” Paine said. “It’s particularly bad when it is something as sensitive as an addiction rehab center.”
This is just the latest in what has become an epidemic of misconfigured cloud databases. While there’s no evidence that a malicious adversary accessed the database, the fact that Paine happened to stumble upon it without trying should give anyone pause – there are cybercriminals that actively scan for these kinds of data treasure troves, after all.
Following notification, the hosting provider of the database locked down the information – though the rehab center hasn’t responded yet to Paine’s outreach.
“I initially notified Steps to Recovery regarding the data leak, but also notified the hosting provider given the sensitivity of the data,” Paine said. “To date I have not received any reply from Steps to Recovery, but the hosting provider notified their customer who then promptly took action to disable access to the database. It is unclear if Steps to Recovery took this action, or if someone may have been running this database on their behalf.”
Threatpost has also reached out to Steps to Recovery for comment and to find out whether it has informed patients about the data leak.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.