A misconfigured server from a US-based AI healthcare agency Confidant Well being uncovered 5.3 TB of delicate psychological well being data, together with private particulars, assessments, and medical data, posing severe privateness dangers for sufferers.
Cybersecurity researcher Jeremiah Fowler found a non-password-protected misconfigured server containing confidential data from Confidant Well being, a Texas-based AI platform providing psychological well being and dependancy remedy providers to residents of Connecticut, Florida, New Hampshire, Texas, and Virginia.
In your data, Confidant Well being gives a variety of providers together with alcohol rehab, an internet suboxone clinic, pre-addiction remedy, a behaviour change program, a restoration coach, opioid withdrawal administration, and medication-assisted remedy, and has a Telehealth Dependancy Restoration app with over 10,000 downloads.
The database on this incident contained over 126,276 information (approx. 5.3 TB) and 1.7 million logging data, uncovered delicate data equivalent to:
- Private Figuring out Info (PII): Names, addresses, contact particulars, driver’s licenses, and insurance coverage data.
- Psychological Well being Assessments: Detailed evaluations of sufferers’ psychological well being circumstances, household histories, and trauma experiences.
- Medical Information: Prescription medicine lists, diagnostic check outcomes, medical insurance particulars, Medicaid playing cards, medical data, remedy transcripts, letters of care itemizing prescription medicine, and medical file requests or waivers.
- Audio and Video Recordings: It additionally contains audio and video recordings of periods and textual content transcripts, discussing deeply private household subjects, together with youngsters, mother and father, companions, and conflicts.
The paperwork revealed psychotherapy consumption notes and psychosocial assessments detailing psychological well being, substance abuse, household points, psychiatric historical past, trauma historical past, medical circumstances, and extra diagnoses, Fowler defined in a report shared with Hackread.com forward of publishing on Friday.
Confidant Well being has acknowledged a knowledge leak and restricted entry. It’s unclear whether or not the database was managed immediately by Confidant Well being or a 3rd social gathering. The period of the publicity and potential entry to the misconfigured server stays unknown.
“Not every document in the database was exposed, and a portion of the files were restricted and not publicly viewable. However, even if the data in these restricted files cannot be viewed, there is a potential risk of malicious actors knowing the file paths and storage locations of additional patient data,” Fowler famous.
The publicity of delicate affected person knowledge poses a major threat to their privateness and will result in numerous adverse penalties, together with identification theft, medical identification theft, extortion, and blackmail. Criminals might use this data to open fraudulent accounts, file false insurance coverage claims, goal sufferers with threats to launch their psychological well being data and exploit their vulnerabilities.
The incident highlights the significance of sturdy knowledge safety measures within the tele-health business. Key measures could embody encryption, entry controls, common safety audits, worker coaching on knowledge safety finest practices, and a complete incident response plan. As tele-health providers proceed to develop in reputation, suppliers should prioritize affected person privateness and knowledge safety.
RELATED TOPICS
- AI agency exposes 2.5 million delicate medical data on-line
- Thousands and thousands of US Voter Knowledge Uncovered in 13 Misconfigured Databases
- Mexico’s Largest ERP Supplier ClickBalance Exposes 769M Information
- AI in Healthcare: ChatGPT Helps Boy Get Prognosis After Docs Fail
- Database Mess Up: 7TB of Healthcare Knowledge Leak Impacts 12M Sufferers
