Thousands of people’s highly sensitive health details, including audio and video of therapy sessions, were openly accessible on the internet, new research has revealed. The cache of information, associated with a US health care firm, included more than 120,000 files and more than 1.7 million activity logs.
At the end of August, security researcher Jeremiah Fowler discovered the exposed trove of information in an unsecured database linked to virtual medical provider Confidant Health. The company, which operates across five states including Connecticut, Florida, and Texas, helps provide alcohol- and drug-addiction recovery, alongside mental health treatments and other services.
Within the 5.3 terabytes of exposed data were extremely personal details about patients that go beyond personal therapy sessions. Files seen by Fowler included multiple-page reports of people’s psychiatry intake notes and details of the medical histories. “At the bottom of some of the documents it said ‘confidential health data,’” Fowler says.
For instance, one seven-page psychiatry intake file, which appeared to be based on an hour session with a patient, details issues with alcohol and other substances, including how the patient claimed to have taken “small amounts” of narcotics from their grandparent’s hospice supply before the family member passed away. In another document, a mother describes the “contentious” relationship between her husband and son, including that while her son was using stimulants he accused her partner of sexual abuse.
The exposed health documents include some medical notes on people’s appearance, mood, memory, their medications, and overall mental status. One spreadsheet seen by the researcher appears to list Confidant Health members, the number of appointments they’ve had, the types of appointment, and more.
“There’s some heartbreaking, really painful family trauma, personal trauma,” Fowler says, adding that some of the files were audio and videos of patient sessions. “It’s almost like having your deepest darkest secrets that you've told your diary revealed, and it's things that you never want to get out.”
Alongside the medical files in the exposed database were administration and verification documents, including copies of driver’s licenses, ID cards, and insurance cards, Fowler says. The logs also contained indications that some data is collected by chatbots or artificial intelligence, making references to prompts and AI responses to questions.
Confidant Health quickly shut off access to the exposed database after Fowler contacted the company, he says. The researcher, who alerts companies to exposed data and does not download any of it, says a proportion of the 120,000 files that were exposed had some form of password protection in place. Fowler says he reviewed around 1,000 files to verify the exposure and determine the source of the data so he could alert the company. He says it is unusual that an exposed database would include both locked and unlocked files.
In a statement to WIRED, Confidant Health cofounder Jon Read says the company takes security concerns seriously and “take[s] issue with the sensational nature” of the findings. Read says once the company had been notified of the “improper configuration,” access to the exposed files was “fixed in less than an hour.”
“During that time, a small subset of files (less than 1% of the total files), could be accessed openly,” Read says. “These files included documents, such as faxes, as well as synthetic training data.” The company cofounder says it conducted a security audit alongside external experts and found “no malicious actors had accessed any patient records” and “no external chatbots or AI interacted with this data.” He adds that the company has updated its policies to stop exposures happening in the future.
“When we were notified about the improper configuration by a third-party security researcher, several patient records were accessed by data security personnel,” Read says. “Those patients have been informed that their information was accessed by non-clinical staff.”
Confidant Health joins hundreds, if not thousands, of organizations—including spy agencies, WWE, and firms with millions voter records—that have exposed people’s data by improperly configuring databases stored in the cloud. While Fowler says he has seen no evidence that any criminals access the data from Confidant Health and its patients, health data can easily be abused if it falls into nefarious hands.
Ransomware groups have increasingly targeted medical organizations, disrupting people’s care while in hospitals and trying to extort health care providers multiple times, while health records are frequently sold on cybercrime forums. The risks can be particularly devastating with stolen sensitive personal information: At the start of 2020, Finnish psychotherapy company Vastaamo was hacked, with those behind the attack leaking people’s therapy information online and demanding they pay ransoms to get data deleted.
Niam Yaraghi, an associate professor of health management and policy at the University of Miami, says huge privacy risks can occur when health data is not properly stored. “As companies expand their services to newer areas, such as therapy, the volume and sensitivity of breached data naturally increases, which in turn increases the risks associated with that loss of data including financial, medical, and reputational damages to patients,” Yaraghi says. “Not prioritizing security, in my opinion, is the root cause of most of the subsequent breaches.”
Fowler says that while Confidant Health is helping people with their recovery, the exposure is a warning for firms in the health care space, particularly those growing quickly or offering new services, that protecting data needs to be core to their business.
“Each time something like this happens, it’s a wake-up call to that industry, and they get a little bit better, they take more precautions, they do the necessary investments for cybersecurity and data protection,” he says. “You can’t have a business, especially online or telehealth, if one of the core components of that business is not data protection.”