More than two years of billing records from a drug and alcohol rehabilitation center were made freely available on the internet, a security researcher has discovered.
Justin Paine has been scouring the internet for Elastic Search databases and has previously found access logs from streaming services, app developers and online casinos – but the database from the Steps to Recovery rehab center in Ohio was by far the most disturbing so far.
The database covers the center's billing system and while it doesn't include things like credit card numbers or other forms of ID, it does include patient names alongside patient IDs, provider IDs, and descriptions of services alongside the date they were provided, along with medical billing codes and the fees charged.
Such information is highly personal and confidential. Anyone with access can easily see when someone was admitted to the rehab, and left, and what treatment they received while there. As examples, code 0901 is for electric shock treatment while 0916 for family psychotherapy.
Paine contacted the rehab center as well as the company hosting the database and a day later, security was applied and the database is no longer publicly readable but he notes that he was never contacted by the company and it's unclear whether it has informed patients that their personal data was available online.
The database itself was 1.45GB and contained nearly five million documents from mid-2016 to late 2018 that he estimated covered around 150,000 patients. He also notes that given the patient names and locations – Ohio – it was easy to find more information on the exposed identities through simple web searches.
Such information in the wrong hands is a recipe for disaster and could easily be used to blackmail, harass, con or steal people's identities, among many other malicious uses.
We have contacted the center and asked for more information on what happened, if they have informed affected customers, and what steps they are taking to ensure it doesn't happen again and will update this story if it responds.
In the meantime, it should serve as a reminder that every sysadmin should check and periodically recheck that their databases are locked down. ®