Medical Information of Almost 150K Rehab Patients Exposed

Over 4.91 million documents containing personally identifiable information (PII) of addiction rehab patients were exposed by a misconfigured ElasticSearch database publicly accessible for more than two years, from mid 2016 to late 2018.

The open database containing two indexes with 1.45 GB worth of data was found by Cloudflare Director of Trust and Safety Justin Paine while searching for exposed internet-enabled devices using Shodan.

After discovering the database left open for anyone with an internet connection to access, Paine learned that the leaked data belonged to Steps to Recovery, "an addiction treatment center located in Levittown, PA."

He contacted both the rehab center and the hosting provider they used and, even though Steps to Recovery did not reply, the hosting provider managed to get in touch and "notified their customer who then promptly took action to disable access to the database."

Based on a random sample of 5,000 rows of data from the "infcharges" index, I observed 267 unique patients – or roughly 5.34% were unique. Assuming this trend continues, that would suggest the database contained roughly 146,316 unique patients. To reiterate – it's entirely possible this sample of 5,000 rows of data was not representative of the entire index of data though.

While the amount of PII data leaked in this incident is not unheard of, the fact that it belongs to a rehab treatment center makes the leak that much serious considering "the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible."

By going through the leaked database, anyone who had enough knowledge to find the exposed database and connect to it could use a patient name to "locate all medical procedures a specific person received, when they received those procedures, how much they were billed, and at which specific facility they received treatment."

Unfortunately, even though this is all the data the ElasticSearch database exposed, with a simple Google search a bad actor could easily collect a lot more data on each of the patients impacted by the data leak.

Some of the data exposed by the database
Some of the data exposed by the database

As Paine found out, he could get a hold of "the patient's age, birthdate, address, past addresses, the names of the patient's family members, their political affiliation, potential phone numbers and email addresses," all that with a simple Google search.

To make things even worse, as he also says "Steps to Recovery has yet to reply to any inquiries. To the best of my knowledge, the treatment center has not notified their patients regarding this leak of their PII."

BleepingComputer has also reached out to Steps to Recovery for more details but had not heard back by the time of this publication.

The database left exposed by Steps to Recovery is part of a long list of data leak incidents, exposing anything from legal documents, LinkedIn job data, millions of Facebook recordspersonal information of disaster survivors, or blood donors' sensitive info.

Related Articles:

Wyze Exposes User Data via Unsecured ElasticSearch Cluster

Misconfigured Firebase instances leaked 19 million plaintext passwords

Over 12 million auth secrets and keys leaked on GitHub in 2023

GitHub enables push protection by default to stop secrets leak

INC Ransom threatens to leak 3TB of NHS Scotland stolen data