In a shocking breach of privacy, the mental health and addiction treatment provider Confidant Health exposed over 120,000 sensitive patient records in a publicly accessible database. This data leak, discovered in late August by security researcher Jeremiah Fowler, left a trove of highly personal information unprotected, including psychiatric session notes, audio and video recordings, and even medical documents like driver’s licenses and insurance cards. Confidant Health, which operates in five states—Connecticut, Florida, New Hampshire, Texas, and Virginia—quickly shut down access after being alerted to the vulnerability.
The scale of the breach is massive, totaling 5.3 terabytes of data. The exposed files revealed intimate details of patients’ lives, including discussions of family conflicts, substance abuse histories, and psychiatric evaluations. In one case, a patient admitted to taking narcotics from a family member’s hospice care, while another document detailed a contentious family relationship involving accusations of sexual abuse.
Some 2.7 billion personal records were dumped online, including names and Social Security numbers, months after a hacking group tried to sell the information for $3.5 million. Here are some tips on how to protect yourself from the data leak. https://t.co/Yw4jJjcgs3 pic.twitter.com/PvXBPxwR1J
— Yahoo News (@YahooNews) August 14, 2024
The breach extends beyond session notes, as administrative records such as appointment logs and insurance details were also left exposed.
The breach is especially concerning given the deeply personal nature of the information involved. Fowler, who has alerted companies to data exposures before, noted that seeing such personal traumas exposed was akin to having someone’s most private thoughts written in a diary laid bare for all to see. This exposure leaves patients vulnerable to identity theft, blackmail, or even extortion, as criminals could exploit these records for financial gain or malicious intent.
🚨 Makati Medical Center Data Breach: A threat actor claims to have stolen 20 GB of data from Makati Medical Center, exposing employee emails, patient records, and schedules. The leak includes several email addresses, with hints of free access to lab records. pic.twitter.com/kv5eDxWl3o
— Deep Web Konek (@deepwebkonek) September 2, 2024
In response to the incident, Confidant Health co-founder Jon Read stated that the company acted swiftly to correct the issue, resolving the database misconfiguration within an hour. However, the full extent of the damage remains unclear. It is unknown how long the data was publicly accessible or whether any unauthorized parties accessed the information before the breach was sealed.
This incident echoes previous breaches in the healthcare industry, such as the 2021 Vastaamo hack, in which cybercriminals extorted both a Finnish mental health provider and its patients by threatening to release sensitive records.
Health records, particularly those containing mental health or addiction treatment information, are highly prized on the dark web, where they can fetch up to $1,000 per record—far more than the going rate for stolen credit card numbers.
While Confidant Health insists that it takes security seriously, this incident underscores the ongoing risks telehealth companies face when handling sensitive data. As telemedicine grows in popularity, particularly in mental health and addiction treatment, ensuring the security of patient information is paramount. Data breaches like this one serve as a stark reminder of the vulnerabilities in digital health platforms and the devastating consequences for those affected.
All those nut cases…😆😆😆😆😊😲😲😲🤐🤐🤐🤐🥴🥴🥴🥴🙃🙃🙃