Not one of the 12 steps: Rehab patients' details exposed in publicly visible database

Researcher disturbed at availability of very personal data


More than two years of billing records from a drug and alcohol rehabilitation center were made freely available on the internet, a security researcher has discovered.

Justin Paine has been scouring the internet for Elastic Search databases and has previously found access logs from streaming services, app developers and online casinos – but the database from the Steps to Recovery rehab center in Ohio was by far the most disturbing so far.

The database covers the center's billing system and while it doesn't include things like credit card numbers or other forms of ID, it does include patient names alongside patient IDs, provider IDs, and descriptions of services alongside the date they were provided, along with medical billing codes and the fees charged.

Such information is highly personal and confidential. Anyone with access can easily see when someone was admitted to the rehab, and left, and what treatment they received while there. As examples, code 0901 is for electric shock treatment while 0916 for family psychotherapy.

No response

Paine contacted the rehab center as well as the company hosting the database and a day later, security was applied and the database is no longer publicly readable but he notes that he was never contacted by the company and it's unclear whether it has informed patients that their personal data was available online.

The database itself was 1.45GB and contained nearly five million documents from mid-2016 to late 2018 that he estimated covered around 150,000 patients. He also notes that given the patient names and locations – Ohio – it was easy to find more information on the exposed identities through simple web searches.

Such information in the wrong hands is a recipe for disaster and could easily be used to blackmail, harass, con or steal people's identities, among many other malicious uses.

We have contacted the center and asked for more information on what happened, if they have informed affected customers, and what steps they are taking to ensure it doesn't happen again and will update this story if it responds.

In the meantime, it should serve as a reminder that every sysadmin should check and periodically recheck that their databases are locked down. ®

Broader topics


Other stories you might like

  • Ex-Uber security chief accused of hushing database breach must face fraud charges
    Company execs and their lawyers are paying close attention to this one

    A US judge yesterday threw out an attempt to dismiss wire fraud charges against a former Uber employee accused of trying to cover up a computer crime.

    Former Uber security chief Joseph Sullivan is set to face criminal charges after US District Judge William Orrick yesterday [PDF] rejected his claim that prosecutors did not "adequately" allege that the goal of the claimed misrepresentation of the security breach was to get Uber's drivers to stay with the platform and continue paying service fees.

    In December last year, a federal grand jury handed down a superseding indictment adding wire fraud to the list of charges pending against Sullivan for his role in the alleged attempted cover-up of the 2016 security breach at Uber. The incident led to around 57 million user and driver records being stolen.

    Continue reading
  • Rows, columns, and the search for a database that can do everything
    Snowflake last week promised analytics and transactions in the same system. For some it was déjà vu all over again

    Analysis Under Nevada's baking summer sunshine, Snowflake last week promised it would bring together two ways of working with data that mix about as well as oil and water.

    The data warehouse vendor – well known for its stratospheric $120 billion post-IPO valuation – said it would support both analytics and transactional workloads in the same system.

    Launched at the Snowflake Summit 2022 in Vegas, Unistore would be the "foundation for another wave of innovation in the Snowflake Data Cloud," said Christian Kleinerman, senior vice president of product. "Similar to how we redefined data lakes and data warehouses for our customers, Unistore is ushering in a renaissance of building and deploying a new generation of applications in the Data Cloud," he said.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading

Biting the hand that feeds IT © 1998–2022