Confidant Health Data Breach: Thousands of Patient Therapy Sessions and Patient’s PII Exposed in an Unsecured Database Online

Thousands of records belonging to Confidant Health, an AI-powered service offering mental health and addiction treatment in the US, were exposed online according to cybersecurity researcher Jeremiah Fowler.

In his report to vpnMentor, Fowler said highly sensitive patient information linked to the virtual medical provider, including 126,276 files (5.3 TB) and 1.7 million logging records, were publicly accessible online through a non-password-protected database.

“I recently discovered a trove of publicly exposed mental health and substance treatment records,” Fowler said. “Some of these documents contained the names and PII of the patients, counselors, and medical professionals.”

Exposed patient data, according to the researcher’s analysis, included:

· Images of driver’s licenses, ID cards, insurance cards and Medicaid cards

· Letters of care that listed prescription medication, and medical record requests or waivers.

· Diagnostic drug tests indicating names, addresses and test results for specific substances

· Psychotherapy intake notes and psychosocial assessments containing details about mental health and substance abuse, or touching upon the patients’ family issues, psychiatric history, trauma history, and other medical conditions

The presence of unprotected psychotherapy notes is particularly alarming, as these contain intimate details of patients’ mental health struggles, addiction histories, and sensitive discussions between therapists and patients.

After being informed of the breach, Confidant Health quickly secured the exposed database. The company released a statement expressing regret over the incident, emphasizing its commitment to ensuring such a breach does not occur again.

However, the breach raises questions about their initial security protocols and the safeguards they had in place to protect sensitive health data.

Confidant Health cofounder Jon Read told WIRED reporters that the exposed files were “fixed in less than an hour.”

Read said that during a security incident, less than 1% of files, including faxes and synthetic training data, were left exposed. Following an audit with external experts, Read confirmed that no malicious actors accessed patient records, and no external AI interacted with the data. The company updated its security policies to prevent future exposure and alerted patients whose records were accessed by internal data security personnel.

“When we were notified about the improper configuration by a third-party security researcher, several patient records were accessed by data security personnel,” Read’s told the WIRED. “Those patients have been informed that their information was accessed by non-clinical staff.”

While Confident Health says its internal audit revealed no malicious actor access patient records, users should be reminded of the importance of protecting their personal information and how to react in case of a data breach, especially when it involves sensitive health information and identifiers such as SSNs and other forms of ID.

We recommend reaching out to the healthcare provider or company involved to get details on the scope of the data breach and the steps taken to resolve it. Update passwords for any accounts potentially affected and contact your insurance provider to request a new account number. If sensitive personal information like your SSN, date of birth, or financial details has been exposed, closely monitor your credit reports and financial accounts for suspicious activity. Report any misuse of your personal information to the appropriate authorities to prevent further damage.

Has your data been part of a data breach or leak? Use Bitdefender’s Digital Identity Protection for:

- Instant Alerts: You can immediately react to data breaches and privacy threats and take swift action to prevent damage, such as changing passwords, via one-click action items.

- Real-time monitoring: The service continuously scans the internet and dark web for your personal information. You will receive alerts whenever your data is involved in a breach or leak.

- Peace of mind: This service immediately flags suspicious activity and actively monitors personal information for peace of mind.

- A 360° view of all your personal data: See your digital footprint, including traces from services you no longer use but that still have your data, and even send requests for data removal from service providers.