A new study has revealed that highly sensitive health data of thousands of people, including audio and video of therapy sessions, was openly available on the internet. The data set, associated with a US healthcare company, included more than 120,000 files and more than 1.7 million activity records.
In late August, security researcher Jeremiah Fowler discovered the treasure trove of information exposed in an unsecured database linked to virtual medical provider Confidant Health. The company, which operates in five states including Connecticut, Florida and Texas, helps provide recovery from alcohol and drug addiction, along with mental health treatment and other services.
Among the 5.3 terabytes of data exposed were extremely personal details about patients that go beyond face-to-face therapy sessions. The files Fowler saw included multi-page reports containing patients’ psychiatric admission notes and details of their medical records. “At the bottom of some of the documents it said ‘sensitive health data,’” Fowler says.
For example, a seven-page psychiatric record, which appeared to be based on a one-hour session with a patient, details problems with alcohol and other substances, including how the patient claimed to have taken “small amounts” of narcotics from his grandfather’s hospice supply before the relative died. In another document, a mother describes the “contentious” relationship between her husband and son, including that while her son was using stimulants he accused his partner of sexual abuse.
The exposed health documents include some medical notes about people’s appearance, mood, memory, medications they take and general mental state. One spreadsheet the investigator viewed appears to include a list of Confidant Health members, the number of appointments they had, the types of appointments and more.
“There are very painful and heartbreaking family and personal traumas,” says Fowler, adding that some of the files were audio and video of sessions with patients. “It’s almost like they reveal to you the darkest secrets that you told your diary, and they’re things you never want to bring to light.”
Along with the medical records in the exposed database were administrative and verification documents, including copies of driver’s licenses, ID cards and insurance cards, Fowler says. The records also contained indications that some data is collected by chatbots or artificial intelligence, making references to AI prompts and responses to questions.
Confidant Health quickly shut down access to the exposed database after Fowler contacted the company, he says. The researcher, who alerts companies about exposed data and does not download any of it, says a proportion of the 120,000 files that were exposed had some form of password protection. Fowler says he reviewed about 1,000 files to verify the exposure and determine the source of the data so he could alert the company. He says it is unusual for an exposed database to include both locked and unlocked files.
In a statement to WIRED, Confidant Health co-founder Jon Read says the company takes security concerns seriously and “disagrees with the sensational nature” of the findings. Read says that once the company was notified of the “misconfiguration,” access to the exposed files was “fixed within an hour.”
