Patient billing files from an alcohol and drug addiction treatment network, Sunshine Behaviour Health, LLC, have been exposed online.
In a blog post by DataBreaches.net, approximately 93,000 patient files connected to patients at Monarch Store, Chapters Capistrano and Willow Springs Recovery facilities have been exposed due to a misconfigured AWS s3 storage bucket.
It should be noted that the 93,000 files does not represent 90,000 unique patients, as for many patients they are multiple files and some files appeared to be templates or test data.
The files contained patient information including full names, dates of birth, postal and email addresses, telephone numbers, full credit card numbers with partial expiry dates and full CVV codes. In addition, health insurance membership numbers, account numbers, statements concerning insurance benefits and amounts due and paid were also included.
DataBreaches.net noted that not all patients had all those data types exposed.
The exposed data was discovered in August by an unidentified individual who subsequently informed DataBreaches.net, which then alerted a Sunshine Behavioural Health employee on September 4.
The next day the files were still unsecured, so DataBreaches.net got back in contact with the Sunshine Behavioural Health Director of Compliance, Stephen VanHooser. Soon after the database was secured and made private.
However, when trying to do a follow up, DataBreaches.net discovered “that the files were still accessible without any password required if you knew where to look. And anyone who had downloaded the URLs of the files in the bucket while the bucket was exposed would know where to look.”
Reportedly, DataBreaches.net reached out again to Sunshine Behavioural Health on November 10 and 12 – and shortly after that the files were finally secured.
DataBreach.net found no indication of Sunshine Behavioural Health notifying the data leak to the public: “[T]here has been nothing on their website, the California Attorney General’s website, or HHS’s public breach tool, even though it is more than 70 days since they were first notified,” said the blog post.
The post #Privacy: Over 90K patient billing files exposed online appeared first on PrivSec Report.