Addiction Centre Patients Exposed in Privacy Hiccup


A large trove of personally identifiable information (PII) has been leaked by an addiction centre after researchers discovered another unsecured Elasticsearch database online. Justin Paine, director of trust and safety at Cloudflare, recently wrote about his findings, claiming to have found the offending database through a simple Shodan search.

Easy Access

As the data trove didn’t need any authentication to gain access, he was able to scroll through the 1.45GB of information. Despite there being almost 5 million documents within the database, they related in the end to approximately 146,000 unique patients.

Paine traced them back to Pennsylvania-based addiction treatment centre, Steps to Recovery, and said, “A leak of PII related to 146,316 unique patients would be bad on any day. It’s particularly bad when it is something as sensitive as an addiction rehab centre. Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible,” he argued.

“What could a malicious user do with this data? Based on the patient name it was simple to locate all medical procedures a specific person received, when they received those procedures, how much they were billed, and at which specific facility they received treatment.”

Simple information

After a few cursory Google searches, he was able to confirm with “high confidence” a patient’s age, birthdate, address, previous addresses, names of family members, political affiliation, phone numbers and email addresses.

Despite contacting the firm about the privacy hiccup at the end of March, Paine received no response as of 15th April. There are concerns that it has still not notified patients about the risks of identity theft. However, a message he sent to the hosting provider was received and access to the database was restricted.

Join us for GovSec UK

Whitehall Media’s 6th annual GovSec conference aims to enable the government to function effectively, safely and securely through improved IT and information security. The all-day conference explores how public sector organisations and professionals can make sense of securing their functions in a rapidly changing environment.