A large trove of personally identifiable information (PII) has been leaked by an addiction treatment center after researchers found another unsecured Elasticsearch database online.
Justin Paine, who is also a director of trust and safety at Cloudflare, blogged about his findings late last week, claiming to have found the offending database via a simple Shodan search.
As the data trove required no authentication to access, he was able to scroll through the 1.45GB of information. Although there were nearly five million documents contained in the database, they related in the end to around 146,000 unique patients.
Paine traced them back to Pennsylvania-based addiction treatment center Steps to Recovery.
“A leak of PII related to 146,316 unique patients would be bad on any day. It's particularly bad when it is something as sensitive as a addiction rehab center. Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible,” he argued.
“What could a malicious user do with this data? Based on the patient name it was simple to locate all medical procedures a specific person received, when they received those procedures, how much they were billed, and at which specific facility they received treatment.”
After a few cursory Google searches, he was also able to determine with “high confidence” a patient’s age, birthdate, address, previous addresses, family members’ names, their political affiliation, phone numbers and email addresses.
Despite contacting the firm about the privacy snafu at the end of March, Paine had received no response as of April 15 and there are concerns that it has still not notified patients about the risk of identity theft. However, a message he sent to the hosting provider was received and access to the database subsequently restricted.
It’s just the latest in a long line of incidents involving misconfigured Elasticsearch instances. One revealed in November last year exposed the PII of nearly 82 million Americans.