web analytics

Mental Health Records Database Found Exposed on Web – Source: www.databreachtoday.com

mental-health-records-database-found-exposed-on-web-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Governance & Risk Management
,
Healthcare
,
Industry Specific

Cyber Researcher Reported Findings to Virtual Care Provider; Data Now Secured

Marianne Kolbasuk McGee (HealthInfoSec) •
September 11, 2024    

Mental Health Records Database Found Exposed on Web
Image: Confidant Health

An AI-powered virtual care provider’s unsecured database allegedly exposed thousands of sensitive mental health and substance abuse treatment records between patients and their counselors on the internet – where they were available to anyone, said the security researcher who discovered the trove.

See Also: Live Webinar | Building a More Resilient Healthcare Enterprise and Ecosystem

Although it is unclear how long the records were allegedly left exposed, Texas-based virtual care company Confidant Health secured the data within hours of hearing from security researcher Jeremiah Fowler, who notified the firm about his discovery. In total, the 5.3-terabyte database – unprotected by a password or any other form of authentication – contained 126,276 files, along with a separate folder holding 1.75 million logging records, he said.

Documents in the database included names and sensitive information of Confidant Health patients, counselors and medical professionals, Fowler said.

“The patients’ records contained images of driver’s licenses, ID cards, insurance cards, Medicaid cards, letters of care listing prescription medication, and medical record requests or waivers. The database also contained diagnostic drug tests indicating names, addresses and test results for specific substances,” he said in a report issued Friday.

“I saw documents indicating psychotherapy intake notes and psychosocial assessments that provided details about mental health or substance abuse, touching upon the patients’ family issues, psychiatric history, trauma history, medical conditions and additional diagnoses,” he said.

Fowler said he saw references to audio and video recordings of the sessions and text transcripts covering “highly detailed and deeply personal family topics, disclosing names of children, parents, partners and the nature of conflicts.”

Fowler, who is a researcher at security vendor vpnMentor and co-founder of security services firm Security Discovery, told Information Security Media Group he manually analyzed about 1,000 documents and estimated that about 60% of them were accessible.

“With such a large number of documents, the only way to know how many were exposed would have been to go through each one, and this would have taken a very long time and allowed those documents to be at risk longer, so I made the decision to report it as soon as possible,” he said.

“Many of the patients have multiple documents so it is possible that perhaps one may have had some but not all records exposed on their specific files. The application has been downloaded at least 10,000 times on Android alone so I would say that is a baseline or minimum without counting iOS or direct users going to physical locations,” he said.

The specific files that Fowler found “were accessible using nothing more than an internet browser and required no password or administrative credentials once you knew the file path or URL address,” he told ISMG.

On its website, Confidant Health calls itself an “app-based hub of resources and real-life clinical providers” offering a range of services including alcohol rehab, online Suboxone clinic, pre-addiction treatment, addiction treatment, behavior change program, recovery coach, opioid withdrawal management, medication-assisted treatment.

The company also offers a Telehealth Addiction Recovery application that is available for iOS and Android.

Confidant Health did not immediately respond to ISMG’s request for comment on Fowler’s alleged discovery.

Common Mishaps?

Fowler said he knows why or how the Confidant Health files became exposed to the internet, but it isn’t the first time he has discovered troves of unsecured health information. In a report issued in January, Fowler said he discovered an unsecured database appearing to belong to a Netherlands-based medical laboratory that exposed 1.3 million records on the internet, including COVID test results and other personally identifiable information.

Fowler said the data appeared to belong to Coronalab.eu, which is owned by Microbe & Lab, a medical laboratory based in Amsterdam (see: Medical Lab Database Exposed 1.3M Records, COVID Test Info).

“I recommend that healthcare providers conduct regular security audits of their network and storage environments,” Fowler said. “Ensure that any third-party vendors or contractors also test their systems for vulnerabilities and that any additional software is up to date. There is no one-size-fits-all approach to cybersecurity, and with a patchwork of different systems for data collection and storage, it leaves plenty of room for gaps,” he said.

“My advice would be to understand that patient data is equally as valuable as the services provided, and only by investing in data security and being proactive can entities avoid data incidents.”

Original Post url: https://www.databreachtoday.com/mental-health-records-database-found-exposed-on-web-a-26264

Category & Tags: –

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Joas Antonio
ChatGPT for Cybersecurity by Joas Antonio dos Santos – malwareanalysis #reverseengineering
ChatGPT for Cybersecurity by Joas...
CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

Sandhya Kaushik
Checklist for Securing Your Android Apps
Checklist for Securing Your Android...
aDvens
May Cyber Threat Intelligence monthly report
May Cyber Threat Intelligence monthly...
Insikt Group
Caught in the Net
Caught in the Net
IGNITE Technologies
BURP SUITE FOR PENTESTER TURBO INTRUDER
BURP SUITE FOR PENTESTER TURBO...
SYED ABUTHAHIR
BUG BOUNTY AUTOMATION WITH PYTHON
BUG BOUNTY AUTOMATION WITH PYTHON
Foresiet
Brand Impersonation Attacks
Brand Impersonation Attacks
Google Cloud
Board of Directors Handbook for Cloud Risk Governance
Board of Directors Handbook for...
ISACA
Blueprint for Ransomware Defense
Blueprint for Ransomware Defense
Shaurya Rawal
Blockchain Security
Blockchain Security
RISK academy
BEST RISK MANAGEMENT PROMPTS FOR CHATGPT
BEST RISK MANAGEMENT PROMPTS FOR...
IGNITE Technologies
Best Alternative of Netcat
Best Alternative of Netcat
aws
AWS Security Incident Response Guide
AWS Security Incident Response Guide

More Latest Published Posts

ENISA-EUROPA
Cyber Resilience Act Requirements Standards Mapping
Cyber Resilience Act Requirements Standards Mapping
IGNITE Technologies
A Little Guide to SMB Enumeration
A Little Guide to SMB Enumeration
GMsectec
Adaptacióna PCI DSS 4.0
Adaptacióna PCI DSS 4.0
LogRhythm
A Guide to User and Entity Behavior Analytics (UEBA)
A Guide to User and Entity Behavior Analytics (UEBA)
BONI YEAMIN
100 Offensive Linux Security Tools
100 Offensive Linux Security Tools
SentinelOne
90 DAYS A CISO’S JOURNEY TO IMPACT
90 DAYS A CISO’S JOURNEY TO IMPACT
ChiefExecutive
Ciberseguridad: Prioridad Estratégica para los CEO.
Ciberseguridad: Prioridad Estratégica para los CEO.
CYBER SECURITY COALITION
CYBER SECURITY INCIDENT MANAGEMENT GUIDE
CYBER SECURITY INCIDENT MANAGEMENT GUIDE
INL/EXT
Cybersecurity for Distributed Wind
Cybersecurity for Distributed Wind
ARTIC WOLF
Cybersecurity Compliance Guide
Cybersecurity Compliance Guide
ESRAA MOHAMAD
ELEARN SECURITY CERTIFIED INCIDENT RESPONSE
ELEARN SECURITY CERTIFIED INCIDENT RESPONSE
DRAGOS
Impact of FrostyGoop ICS Malware on Connected OT Systems
Impact of FrostyGoop ICS Malware on Connected OT Systems
Victor Tong
Digital Operational Resilience Act – Control Mappings
Digital Operational Resilience Act – Control Mappings
ARMIS
DORA Resiliency Guide Strengthening Cybersecurity and Operational Resilience in the Financial Sector
DORA Resiliency Guide Strengthening Cybersecurity and Operational Resilience in the Financial Sector
IGNITE Technologies
Docker Penetration Testing
Docker Penetration Testing
IGNITE Technologies
Disk Group Privilege Escalation
Disk Group Privilege Escalation
Hiral Patel
Data LossPrevention(DLP)
Data LossPrevention(DLP)
Polygon
Digital identity – Deutsche Bank Corporate Bank
Digital identity – Deutsche Bank Corporate Bank
CSA Cloud Security Alliance
The Six Pillars of DevSecOps:Collaboration andIntegration
The Six Pillars of DevSecOps:Collaboration andIntegration
ASPIRE SYSTEMS
A complete guide toImplementingDevSecOps in AWS
A complete guide toImplementingDevSecOps in AWS
GAO
CYBERSECURITY PROGRAM AUDIT GUIDE
CYBERSECURITY PROGRAM AUDIT GUIDE
Apress
Demystifying Intelligent Multimode Security Systems An SystemsAn Edge-to-Cloud Cybersecurity Solutions Guide
Demystifying Intelligent Multimode Security Systems An SystemsAn Edge-to-Cloud Cybersecurity Solutions Guide
PWC
Data Privacy Handbook
Data Privacy Handbook
CERT-EU
DDoS Overview and Response Guide
DDoS Overview and Response Guide
IGNITE Technologies
Data Exfiltration Cheat Sheet
Data Exfiltration Cheat Sheet
CRC Press
Data Privacy for the Smart Grid
Data Privacy for the Smart Grid
New York State
Cybersecurity Program Template A resource to help individual licensees and individually owned businesses develop a cybersecurity program as required by New York State’s Cybersecurity Regulation 23 NYCRR Part 500
Cybersecurity Program Template A resource to help individual licensees and individually owned businesses develop a cybersecurity program as required by New York State’s Cybersecurity Regulation 23 NYCRR Part 500
Apress
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security