Patient PII exposed in leak of Pennsylvania-based rehab center records

The security researcher roughly estimated that over 146,000 unique patients could be affected by the data leak. (Getty)


Written by

A trove of personally identifiable information on patients at an addiction treatment center in Pennsylvania has been left in an insecure database, potentially exposing those people to identity theft.

Patient names, their rehab care provider, and specific procedures they received were among the information sitting in a database that didn’t require authentication for someone to access, according to Justin Paine, the security researcher who made the discovery.

Taking a tiny sample size of the nearly 5 million rows of data that he found, Paine roughly estimated that over 146,000 unique patients could be affected by the data leak. He emphasized, however, that it is “entirely possible” that the sample was not representative of the full dataset.

“I only sampled the 5,000 rows of data,” Paine told CyberScoop in an email. “I didn’t want to go digging through the sensitive data any further than I needed to.”

Paine came across the Elasticsearch database during a sweep of Shodan, the search tool for internet-connected devices. “Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible,” Paine wrote in a blog post Friday.

CNET was first to report on the research.

The name of the database and other information suggests it belongs to Steps to Recovery, a rehab center in Levittown, Pennsylvania, Paine said. The facility offers boarding and care for those looking to overcome substance addiction.

Paine told CyberScoop that he had not seen any indication that a malicious actor had accessed the data. The sensitive information, however, is the type of data that identity thieves prey on. A Google search using the patients’ names, rehab care provider, and geographic area, can lead to a host of other information about the person, including birth dates, email addresses, and political affiliation, Paine said.

The database has been disabled, but it is unclear whether Steps to Recovery had notified patients of the data leak. Paine said that, to the best of his knowledge, that hadn’t happened.

CyberScoop could not find any public notice of the data leak from the rehab center and, as of Friday afternoon, the organization had not returned a request for comment.

Steps to Recovery has enlisted a cybersecurity company to investigate the incident, CNET reported.

-In this Story-

breach notification, data breaches, health care, patients, personally identifiable information (PII)