4.9 Million of Rehab Clinic Documents Exposed on Unsecured Database

Last updated September 17, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Accessible ElasticSearch databases are unfortunately the daily news. That said, we only choose to report those that jeopardize something important, or expose particularly sensitive user information. Today’s story concerns the latter, as an ElasticSearch database belonging to a Pennsylvania-based rehab clinic named “Steps to Recovery” has exposed 146316 of their customers. The information in the unsecured database includes all of the treatments and procedures that the patients underwent, connected with their full names and other types of PII data. The discovery of the database was made by Justin Paine, the director of trust and safety at Cloudflare, who repeatedly warned the hosting provider with the latter failing to provide a reply for three weeks. This led to the disclosure so that the treatment center and its patients get to know of the incident.

Paine was casually searching through the Shodan IoT search engine when he found the unprotected database which contained two indexes of about 1.45GB in size, which in turn included 4.9M documents and records. Upon further investigation, he realized that he was digging through medical records, seeing age details, DoBs, current and previous home addresses, full names of the patient and their family members, phone number, email addresses, etc. A simple Google search could then even unveil that person’s political affiliation, so the potential for exploitation is high. All of this sensitive data was sitting there for anyone to access, and considering the social ignominy that usually comes along for people who go through rehabilitation, one could easily use this information for harassment, threatening, and even blackmailing.

database_2

image source: rainbowtabl.es

Paine did not notice any obvious signs of a hacker having accessed the database, but considering how easy it was for him to find it, the chances of the data not to have leaked are pretty slim. There are numerous cybercriminals who are spending their days and nights looking for sensitive data like this, and even short periods of free accessibility are often enough to allow a window of data dumping. This rehab clinic database was left open for at least three weeks, so the prospect of not having been accessed by a malicious person is meager.

Steps to Recovery is yet to inform their patients that their PII, as well as much other sensitive information related to them, have leaked. Neither their website nor their social media accounts have any warnings posted. As it’s been a full month from the discovery, the clinic should have already sent notices to the affected. Once again, we are playing the wretched role of the notifier, so if you have visited Steps to Recovery lately, call them now and take action to protect yourself immediately.

Share your comments down below, and help us spread the news by sharing this post through our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: