Rehab center data breach exposes millions of patient records

Personally identifiable data for approximately 145,000 patients at the Levittown, Pa.-based Steps to Recovery addiction treatment facility and the Ohio Addiction Recovery Center in Columbus was exposed in a searchable online database, CNET reports.

Justin Paine, director of trust and safety at online security firm Cloudflare, wrote in a blog post that he was browsing search engine Shodan when he discovered an unencrypted database containing nearly 5 million rows of data about patients at both facilities from 2016 to 2018, comprising the personal information of an estimated 146,316 patients. The data included patients' names, along with types, dates and costs of treatment.

Mr. Paine wrote that he alerted Steps to Recovery and the database's hosting provider immediately upon his late March discovery of the data breach. The database was taken down soon after.

Steps to Recovery COO Cory Cooper told CNET a cybersecurity firm will be investigating the breach. The facility has yet to notify affected patients, with Mr. Cooper noting that they will do so if the investigation deems it necessary — for example, if the information is shown to have been accessed and/or used by hackers with malicious intent.

More articles about cybersecurity:
EmCare says February email breach exposed some patient, contractor and employee data
Maine hospital breaches HIPAA by emailing the names of 300 patients taking Suboxone to newspaper
Scammers pay for DNA swabs, health insurance information to defraud CMS

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Top 40 Articles from the Past 6 Months