- A database belonging to a rehab clinic has exposed 4.9 million documents affecting 146316 patients.
- The researcher who discovered it didn’t have to perform an advanced search or pay for anything.
- The data contains full medical logs, payment details, location information, and several PII data.
Accessible ElasticSearch databases are unfortunately the daily news. That said, we only choose to report those that jeopardize something important, or expose particularly sensitive user information. Today’s story concerns the latter, as an ElasticSearch database belonging to a Pennsylvania-based rehab clinic named “Steps to Recovery” has exposed 146316 of their customers. The information in the unsecured database includes all of the treatments and procedures that the patients underwent, connected with their full names and other types of PII data. The discovery of the database was made by Justin Paine, the director of trust and safety at Cloudflare, who repeatedly warned the hosting provider with the latter failing to provide a reply for three weeks. This led to the disclosure so that the treatment center and its patients get to know of the incident.
Paine was casually searching through the Shodan IoT search engine when he found the unprotected database which contained two indexes of about 1.45GB in size, which in turn included 4.9M documents and records. Upon further investigation, he realized that he was digging through medical records, seeing age details, DoBs, current and previous home addresses, full names of the patient and their family members, phone number, email addresses, etc. A simple Google search could then even unveil that person’s political affiliation, so the potential for exploitation is high. All of this sensitive data was sitting there for anyone to access, and considering the social ignominy that usually comes along for people who go through rehabilitation, one could easily use this information for harassment, threatening, and even blackmailing.
Paine did not notice any obvious signs of a hacker having accessed the database, but considering how easy it was for him to find it, the chances of the data not to have leaked are pretty slim. There are numerous cybercriminals who are spending their days and nights looking for sensitive data like this, and even short periods of free accessibility are often enough to allow a window of data dumping. This rehab clinic database was left open for at least three weeks, so the prospect of not having been accessed by a malicious person is meager.
Steps to Recovery is yet to inform their patients that their PII, as well as much other sensitive information related to them, have leaked. Neither their website nor their social media accounts have any warnings posted. As it’s been a full month from the discovery, the clinic should have already sent notices to the affected. Once again, we are playing the wretched role of the notifier, so if you have visited Steps to Recovery lately, call them now and take action to protect yourself immediately.