Advertisement

Patient PII exposed in leak of Pennsylvania-based rehab center records

Patient names, their rehab care provider, and specific procedures they received were among the information sitting in the insecure database.
healthcare records leak
The security researcher roughly estimated that over 146,000 unique patients could be affected by the data leak. (Getty)

A trove of personally identifiable information on patients at an addiction treatment center in Pennsylvania has been left in an insecure database, potentially exposing those people to identity theft.

Patient names, their rehab care provider, and specific procedures they received were among the information sitting in a database that didn’t require authentication for someone to access, according to Justin Paine, the security researcher who made the discovery.

Taking a tiny sample size of the nearly 5 million rows of data that he found, Paine roughly estimated that over 146,000 unique patients could be affected by the data leak. He emphasized, however, that it is “entirely possible” that the sample was not representative of the full dataset.

“I only sampled the 5,000 rows of data,” Paine told CyberScoop in an email. “I didn’t want to go digging through the sensitive data any further than I needed to.”

Advertisement

Paine came across the Elasticsearch database during a sweep of Shodan, the search tool for internet-connected devices. “Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible,” Paine wrote in a blog post Friday.

CNET was first to report on the research.

The name of the database and other information suggests it belongs to Steps to Recovery, a rehab center in Levittown, Pennsylvania, Paine said. The facility offers boarding and care for those looking to overcome substance addiction.

Paine told CyberScoop that he had not seen any indication that a malicious actor had accessed the data. The sensitive information, however, is the type of data that identity thieves prey on. A Google search using the patients’ names, rehab care provider, and geographic area, can lead to a host of other information about the person, including birth dates, email addresses, and political affiliation, Paine said.

The database has been disabled, but it is unclear whether Steps to Recovery had notified patients of the data leak. Paine said that, to the best of his knowledge, that hadn’t happened.

Advertisement

CyberScoop could not find any public notice of the data leak from the rehab center and, as of Friday afternoon, the organization had not returned a request for comment.

Steps to Recovery has enlisted a cybersecurity company to investigate the incident, CNET reported.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts