BOOK THIS SPACE FOR AD
ARTICLE ADA misconfigured server from a US-based AI healthcare firm Confidant Health exposed 5.3 TB of sensitive mental health records, including personal details, assessments, and medical information, posing serious privacy risks for patients.
Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected misconfigured server containing confidential records from Confidant Health, a Texas-based AI platform offering mental health and addiction treatment services to residents of Connecticut, Florida, New Hampshire, Texas, and Virginia.
For your information, Confidant Health offers a range of services including alcohol rehab, an online suboxone clinic, pre-addiction treatment, a behaviour change program, a recovery coach, opioid withdrawal management, and medication-assisted treatment, and has a Telehealth Addiction Recovery app with over 10,000 downloads.
The database in this incident contained over 126,276 files (approx. 5.3 TB) and 1.7 million logging records, exposed sensitive information such as:
Personal Identifying Information (PII): Names, addresses, contact details, driver’s licenses, and insurance information. Mental Health Assessments: Detailed evaluations of patients’ mental health conditions, family histories, and trauma experiences. Medical Records: Prescription medication lists, diagnostic test results, health insurance details, Medicaid cards, medical records, treatment transcripts, letters of care listing prescription medication, and medical record requests or waivers. Audio and Video Recordings: It also includes audio and video recordings of sessions and text transcripts, discussing deeply personal family topics, including children, parents, partners, and conflicts.The documents revealed psychotherapy intake notes and psychosocial assessments detailing mental health, substance abuse, family issues, psychiatric history, trauma history, medical conditions, and additional diagnoses, Fowler explained in a report shared with Hackread.com ahead of publishing on Friday.
Confidant Health has acknowledged a data leak and restricted access. It is unclear whether the database was managed directly by Confidant Health or a third party. The duration of the exposure and potential access to the misconfigured server remains unknown.
“Not every document in the database was exposed, and a portion of the files were restricted and not publicly viewable. However, even if the data in these restricted files cannot be viewed, there is a potential risk of malicious actors knowing the file paths and storage locations of additional patient data,” Fowler noted.
The exposure of sensitive patient data poses a significant risk to their privacy and could lead to various negative consequences, including identity theft, medical identity theft, extortion, and blackmail. Criminals could use this information to open fraudulent accounts, file false insurance claims, target patients with threats to release their mental health information and exploit their vulnerabilities.
The incident highlights the importance of strong data security measures in the tele-health industry. Key measures may include encryption, access controls, regular security audits, employee training on data security best practices, and a comprehensive incident response plan. As tele-health services continue to grow in popularity, providers must prioritize patient privacy and data security.