Psychological profiles and therapy sessions of thousands of patients, including “telehealth” audio and video, and even driver’s licenses, have been leaked onto the open web.
Healthcare startup Confidant Health left more than 1.7 million activity records, comprising approximately 5.3 terabytes of mental health data, exposed online.
The Austin-based company, which promised to build “the next generation of virtual care” for those seeking addiction treatment and other behavioral therapies, had left its patients’ sensitive information exposed through an “unpassword-protected database.”
This serious privacy breach comes amid a summer of catastrophic leaks, including the July “RockYou2024” Independence Day hack, which exposed a staggering 10 billion passwords to cybercriminals, and a massive breach of US Social Security numbers.
Since its founding in 2018, the Confidant Health app, which is available via iOS and Android, has been downloaded more than 10,000 times on the Google Play Store.
The company currently provides clinical services to patients in Connecticut, New Hampshire, Virginia, Texas and Florida.
Austin-based telehealth company Confidant Health was caught leaving sensitive patient information exposed on the open web via an “unpassword-protected database.”
Above, a collage of redacted screenshots showing some of the insurance documents, driver’s licenses and other state-issued identification that were publicly accessible.
Jeremiah Fowler, the cybersecurity researcher who discovered the shocking breach of patient privacy, said the audio and video files contain “heartbreaking and really painful personal and family trauma.”
“It’s almost like they’re revealing the darkest secrets you’ve ever told your diary,” Fowler continued. “These are things you never want to see come out.”
For reasons of professional ethics, Fowler said he did not download any private medical information. He also did not try to access the password-protected databases, but warned that a dedicated hacker could easily do so.
“Cybercriminals have a variety of tools at their disposal, including brute force attacks and social engineering attempts that could potentially result in unauthorized access to those protected files and documents,” the researcher explained.
Fowler reported that she observed publicly viewable patient documents that were clearly psychotherapy admission notes, evaluations detailing medical professionals’ opinions about patients’ mental health, substance abuse, family problems, psychiatric history and more.
But that private medical data was just one facet of the leak: Many other files also included records stored for administrative and verification purposes, such as driver’s licenses, state-issued identification cards and insurance cards.
According to Fowler, the more than 1 million leaked records indicated that some of the aforementioned data had been collected by Confident Health’s proprietary chatbots and artificial intelligence — features the company has long touted in the press.
“A data-centric environment like the one we’re building lends itself to leveraging AI (artificial intelligence) to make predictive suggestions,” Confident co-founder Sam Arsenault Wilson said in a 2022 interview.
“That’s where we’re headed once the data reaches the appropriate scale,” he said.
The leak also included drug tests, including some with a patient’s personally identifiable information (PII) and their positive drug test results (in one case, marijuana and alcohol).
Above, a breakdown of the exposed private mental health data as documented by cybersecurity researcher Jeremiah Fowler, who discovered and reported the flaw to both Confident Health and cybersecurity researchers at vpnMentor.
Under the U.S. Health Insurance Portability and Accountability Act (HIPAA), medical professionals, businesses, and organizations must take detailed steps to preserve the privacy of your clients’ protected health information (PHI).
PHI often overlaps with this similar class of PII data, which is protected across a wide variety of industries and government agencies.
“In a random sample that I reviewed,” Fowler noted in his report for the security site. vpnMentor‘The open and publicly accessible files (…) contained what could be considered a very serious potential risk to the personal privacy and personally identifiable information of those individuals.’
Fowler said he reviewed about 1,000 files to verify the extent of the exposure risk and better understand how the error had occurred so he could alert the company more accurately, adding: “I was able to view them using just a web browser.”
According to Fowler, an exposed database containing password-protected and also unlocked patient data files, or any other files, is unusual.
“Public access to the documents was restricted within hours” after her own direct message to Confident notifying them of the lack of patient privacy, Fowler said.
DailyMail.com has reached out to Confidant Health co-founder Jon Read via two email addresses for comment, but Read has not yet responded.
Since Confidant Health was founded in 2018, its app has been downloaded over 10,000 times on the Google Play Store. The company (logo above) currently offers clinical services to patients in Connecticut, New Hampshire, Virginia, Texas, and Florida.
Another screenshot from cybersecurity researcher Jeremiah Fowler, confirming that this leak included drug tests, like the one above, which contained a patient’s personally identifiable information (PII) and their positive drug test results, in this case marijuana and alcohol.
But speaking previously to WIRED magazine, the company’s co-founder said he “disagrees with the sensationalist nature” of Fowler’s published findings.
After confirming Fowler’s own report that the exhibition was restricted shortly after the company was notified, Read told WITH WIRE that “during that time” only “a small subset of files (less than 1 percent of total files) were openly accessible.”
‘These files included documents, such as faxes, as well as synthetic training data.’
“No malicious actor had accessed any patient records,” Read continued, adding that “no external chatbot or AI interacted with this data.”
Read said Confident Health conducted its own internal security audit along with hired outside experts to confirm the security of its patient data.
Company policies have been updated to prevent future exposures, he said.
The company also alerted its customers about the investigation: “When we were notified of the misconfiguration by an outside security researcher,” Read said, “data security personnel accessed several patient records.”
“These patients have been informed that their information was accessed by non-clinical personnel,” the co-founder said.
