Thousands of peopleâs highly sensitive health details, including audio and video of therapy sessions, were openly accessible on the internet, new research has revealed. The cache of information, associated with a US health care firm, included more than 120,000 files and more than 1.7 million activity logs.
At the end of August, security researcher Jeremiah Fowler discovered the exposed trove of information in an unsecured database linked to virtual medical provider Confidant Health. The company, which operates across five states including Connecticut, Florida, and Texas, helps provide alcohol- and drug-addiction recovery, alongside mental health treatments and other services.
Within the 5.3 terabytes of exposed data were extremely personal details about patients that go beyond personal therapy sessions. Files seen by Fowler included multiple-page reports of peopleâs psychiatry intake notes and details of the medical histories. âAt the bottom of some of the documents it said âconfidential health data,ââ Fowler says.
For instance, one seven-page psychiatry intake file, which appeared to be based on an hour session with a patient, details issues with alcohol and other substances, including how the patient claimed to have taken âsmall amountsâ of narcotics from their grandparentâs hospice supply before the family member passed away. In another document, a mother describes the âcontentiousâ relationship between her husband and son, including that while her son was using stimulants he accused her partner of sexual abuse.
The exposed health documents include some medical notes on peopleâs appearance, mood, memory, their medications, and overall mental status. One spreadsheet seen by the researcher appears to list Confidant Health members, the number of appointments theyâve had, the types of appointment, and more.
âThereâs some heartbreaking, really painful family trauma, personal trauma,â Fowler says, adding that some of the files were audio and videos of patient sessions. âItâs almost like having your deepest darkest secrets that you’ve told your diary revealed, and it’s things that you never want to get out.â
Alongside the medical files in the exposed database were administration and verification documents, including copies of driverâs licenses, ID cards, and insurance cards, Fowler says. The logs also contained indications that some data is collected by chatbots or artificial intelligence, making references to prompts and AI responses to questions.
Confidant Health quickly shut off access to the exposed database after Fowler contacted the company, he says. The researcher, who alerts companies to exposed data and does not download any of it, says a proportion of the 120,000 files that were exposed had some form of password protection in place. Fowler says he reviewed around 1,000 files to verify the exposure and determine the source of the data so he could alert the company. He says it is unusual that an exposed database would include both locked and unlocked files.
In a statement to WIRED, Confidant Health cofounder Jon Read says the company takes security concerns seriously and âtake[s] issue with the sensational natureâ of the findings. Read says once the company had been notified of the âimproper configuration,â access to the exposed files was âfixed in less than an hour.â
