News
Telehealth Firm Left Database of Patient Records Exposed Online
Confidant Health, a startup that provides virtual mental health services to over 5,000 users across five states, reportedly left over 5TB of sensitive patient data exposed to the public Internet.
The exposed database of patient data was discovered by vpnMentor security researcher Jeremiah Fowler, who described his findings in a blog post last week. The data was a "trove" of personally identifiable information, according to Fowler, comprising patient names, addresses, license and insurance cards, prescriptions, drug test results, therapy notes, mental health assessments, and names and details of patients' close family members. The data included documents and image scans, as well as audio and video files.
All together, the information in the database amounted to 5.3TB, or over 126,000 files. Not every file was publicly accessible on the Internet, though the database itself was.
Fowler traced the data to Confidant, which specializes in telehealth services for substance abuse and mental health patients. Its mobile app connects patients with care providers and facilitates virtual appointments. Founded in 2019, Confidant currently has patients in Connecticut, New Hampshire, Virginia, Texas and Florida.
Fowler said he "immediately" alerted Confidant to the exposed database, and access was restricted to the public "within hours."
However, by that point, the extent of the exposure was difficult to pin down. "It is not known how long the documents were exposed or if anyone else may have gained access to the database. Only an internal forensic audit would be able to identify additional access or suspicious activity," he wrote. "It is also not known if the database was managed directly by Confidant Health or a third party."
In a statement to Wired, Confidant co-founder Jon Read downplayed the exposure. Less than 1 percent of the files in the database were publicly accessible, he told the publication, and the affected patients have been since been notified.
According to Read, after an investigation, Confidant found no evidence indicating any of the data was accessed by malicious actors.
Health records are especially lucrative for cybercriminals. Because of the sensitivity of the information, affected patients are susceptible to extortion or ransomware demands. Therefore, Fowler said, "[a]ny organization that provides telehealth services and that manages sensitive patient information through a platform or app must take every possible step to protect the data they collect and store."
He recommends companies like Confidant encrypt all sensitive patient data and ensure that they're not publicly accessible, put older records in archive storage, perform regular security audits, make multifactor authentication a requirement for customers, and train end users to recognize common security attack methods.
"The days of patient's files being stored in a physical file cabinet are virtually over," Fowler said, "and as more medical records are stored online it is more important than ever to ensure the protection and security of health data."