Unsecured Rehab Clinic Database Exposed Millions Of Patient Records

Another exposed database has been found exposing millions of records. This time, the unsecured database belongs to a rehabilitation center. The leaked data comes from the publicly accessible rehab clinic database exposing details of around 150 thousand patients.

Rehab Clinic Database Exposed a Huge Amount of Records

Reportedly, Justin Payne, the Director of Trust and Safety at Cloudflare, came across an improperly secured ElasticSearch database. The database exposed detailed medical records of patients who received rehabilitation treatment.

Payne explained his findings in his blog post. As mentioned, he found the database publicly exposing personally identifiable information (PII) and clinical data of patients at the rehab center ‘Steps to Recovery’. The data included patient records from mid-2016 to late 2018 – roughly two years of data.

The exposed database sized up to 1.45GB and contained 4.91 million records belonging to roughly 146,316 unique patients. Nonetheless, that is just an estimated number deduced from the analysis of a random sample of 5000 rows of data.

“Based on a random sample of 5,000 rows of data from the “infcharges” index, I observed 267 unique patients – or roughly 5.34% were unique. Assuming this trend continues, that would suggest the database contained roughly 146,316 unique patients.”

While the database already included explicit personal information of patients, Payne stated that a quick Google search could reveal even more details.

“After briefly reviewing just the freely available information though I could still tell you, with reasonably high confidence, the patient’s age, birthdate, address, past addresses, the names of the patient’s family members, their political affiliation, potential phone numbers, and email addresses.”

Leaky Database Went Offline

Justin Payne found the exposed server on March 24, 2019. The same day, he alerted the source ‘Steps to Recovery’ and the ElasticSearch hosting provider of the matter. While the hosting provider confirmed closing down the open database, he couldn’t receive a response from the rehab center.

“To date, I have not received any reply from Steps To Recovery, but the hosting provider notified their customer who then promptly took action to disable access to the database.”

Eventually, after receiving no response even on his follow-up emails, Payne disclosed the news publicly, asking the rehab clinic to notify the affected patients at the earliest.

Earlier this month, a similar incident happened to Natural Health Services Canada. They allegedly suffered a data breach exposing personal information of medical marijuana patients.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients