Database of Addiction Service Provider Potentially Exposed 145,000 Patient Records

The highly sensitive information of patients who were treated at addiction rehabilitation centers were found publicly accessible on the internet because a database was left unsecured. The database contained about 4.91 million records associated with about 145,000 Steps to Recovery patients. Steps to Recovery is an addiction rehabilitation provider established in Levittown, PA.

On March 24, 2019, Justin Paine, Cloudflare’s Director of Trust and Safety, identified the unsecured database. He advised Steps to Recovery and its hosting company right away concerning the breach. Thoug Steps to Recovery did not reply, the hosting company sent a reply and made the database secure. It is now not open to the public online.

Through the Shodan search engine, Paine was able to search for unsecured databases and devices. Paine stated that the ElasticSearch database is made of two indexes containing more than 1.45 GB of data. Anybody could get to the information online without requiring any authentication. The database was accessible to the public for more than two years, from 2016 to 2018.

The database included information such as patients’ names, details of their treatments and services received at Steps to Recovery, dates of services obtained, places where patients had been to, and billing particulars.

Paine is also able to get more information related to the patients by searching on Google using the data obtained from the database. For some patients, Paine ended up finding information such as birth dates, ages, email addresses, and contact telephone numbers.

Steps to Recovery did not announce the number of patients the breach impacted. The breach incident is not yet posted on the Department of Health and Human Services’ Office for Civil Rights breach portal. It is also not known if the unsecured database online was accessed by other people.