Exclusive: The exposed data affects nearly 150,000 people.
It's some of the most sensitive medical information a person could have. Records for potentially tens of thousands of patients seeking treatment at several addiction rehabilitation centers were exposed in an unsecured online database, an independent researcher revealed Friday.
The 4.91 million records included patients' names, as well as details of the treatments they received, according to Justin Paine, the researcher. Each patient had multiple records in the database, and Paine estimates that the records may cover about 145,000 patients.
Paine notified the main treatment center, as well as the website hosting company, when he discovered the database. The data has since been made unavailable to the public. Paine found the data by typing keywords into the Shodan search engine that indexes servers and other devices that connect to the internet.
"Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible," Paine said in a blog post that he shared with CNET ahead of publication. Paine hunts for unsecured databases in his free time. His day job is head of trust and safety at web security company Cloudflare.
The find is the latest example of a widespread problem: Any organization can easily store customer data on cloud-based services now, but few have the expertise to set them up securely. As a result, countless unsecured databases sit online and can be found by anyone with a few search skills. Many of those databases are full of sensitive personal data.
A leak of health care data is a significant problem that can trigger requirements under federal law to notify patients of the problem. Paine said he has no indication that patients have been notified of the database exposure and that Steps to Recovery, the Pennsylvania rehab center whose data makes up the bulk of the leak, didn't respond to his messages telling them of the exposure.
Steps to Recovery Chief Operating Officer Cory Cooper told CNET on Friday the company is bringing in a cybersecurity firm to investigate. The company will notify patients if the investigation finds there was a breach that requires it, he said.
"We take the security and confidentiality of our patient records very seriously," Cooper said.
Another rehabilitation center named in the data, Ohio Addiction Recovery Center, didn't respond to a request for comment from CNET. Cooper said the Ohio facility isn't associated with Steps to Recovery.
Paine said he could find further identifying information, like a patient's age, birth date, address and family members, just by searching their name and probable location. He said there's no indication that hackers accessed the data.
"I found this data leak purely by accident, but a malicious person could have also found this same data, and potentially used it as part of identity theft," Paine said.
Medical identity theft is a common form of fraud in which someone uses another person's name and insurance information to receive health care. Sometimes this fraud happens on a much larger scale. In 2010, federal investigators charged a group of people with setting up more than 100 fake clinics and billing insurance companies for fake services with stolen patient and doctor records.
But identity theft isn't the only risk to rehab patients whose data is exposed online, said Eva Velasquez, executive director of the Identity Theft Resource Center. The loss of privacy and potential impact on a patient's reputation is just as important.
"It speaks to the mindset that any entity has to adopt when it comes to the data they collect and how they protect it," Velasquez said.
Read More: Best Password Managers | Best VPN Services | Best Identity Theft Providers
Originally published April 18 at 7 a.m. PT.
Update at 8:30 a.m.: Adds comment from Steps to Recovery.