A security researcher discovered an unsecured online storage server—an all-too-common occurrence known as an accidental overexposure—that linked to 4.9 million lines of patient records from an addiction treatment center called Steps to Recovery. Those millions of lines of information were not all for separate patients, but rather were separate entries on almost 150,000 of the same patients, outlining their medical treatment.
When it comes to data breaches and hacking, personally identifiable information like Social Security numbers are considered the “holy grail” of theft. Credit card information or emails are still very valuable and useful—since the card numbers make purchases until the bank shuts them down, or the email address can be sold to spammers—but Social Security numbers are permanent. With the intact data set of identifying information (PII), a thief can sell the complete records or use them to open new lines of credit in someone’s name, potentially forever.
Unfortunately, a Social Security number is not the very worst PII that can be exposed to hackers. As one report has now demonstrated, leaked patient medical treatment records can have a far more harmful effect, making the victim wish that it was “just” their Social Security number that had been stolen.
There is an unfortunate stigma that still surrounds addiction and mental health, and the possibilities are nightmarish for what a hacker could have done with this information. Whether through blackmail by threatening to expose the patients’ treatment or using the information to target them with malicious content, there are no words to describe how this could have brought harm to vulnerable people who sought help for their conditions.
Fortunately, the discovery was made by a security researcher who then contacted both Steps to Recovery and the company that hosts the treatment center’s online server. While the hosting company responded to confirm that the treatment center took down the information, Steps to Recovery never responded to the researcher’s request for information concerning patient notification. It is still not known whether the center ever informed the patients about the leak.
In order to demonstrate just how serious this is, the researcher went a little further. By cross-matching patient records that were left wide open online with basic, free Google searches, he was able to find a reasonable match for a sampling of patients listed in the leak. Those results provided names, addresses, family members’ names, ages, phone numbers and email addresses, and even political affiliations. This demonstrates just how dangerous this leak truly was, and hopefully the patients have now been informed of the situation.