Millions of rehab records leak, including patient names – nearly 150,000 affected

Millions of patient records for drug and alcohol rehab were leaked, in a data breach that affects an estimated 150,000 individuals, CNET reports.

"Records for potentially tens of thousands of patients seeking treatment at several addiction rehabilitation centers were exposed in an unsecured online database, an independent researcher revealed Friday."

Here's the security researcher's source material, from

Here's an excerpt from CNET's report:

The 4.91 million documents included patients' names, as well as details of the treatments they received, according to Justin Paine, the researcher. Each patient had multiple records in the database, and Paine estimates that the records may cover about 145,000 patients.

Paine notified the main treatment center, as well as the website hosting company, when he discovered the database. The data has since been made unavailable to the public. Paine found the data by typing keywords into the Shodan search engine that indexes servers and other devices that connect to the internet.

"Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible," Paine said in a blog post that he shared with CNET ahead of publication. Paine hunts for unsecured databases in his free time. His day job is head of trust and safety at web security company Cloudflare.

The find is the latest example of a widespread problem: Any organization can easily store customer data on cloud-based services now, but few have the expertise to set them up securely. As a result, countless unsecured databases sit online and can be found by anyone with a few search skills. Many of those databases are full of sensitive personal data.

A leak of health care data is a significant problem that can trigger requirements under federal law to notify patients of the problem. Paine said he has no indication that patients have been notified of the database exposure and that Steps to Recovery, the Pennsylvania rehab center whose data makes up the bulk of the leak, didn't respond to his messages telling them of the exposure.

Patient names, treatments leak among millions of rehab records [LAURA HAUTALA/CNET]

[VIA @goretsky]