More than 1.7 million medical records for American patients have been exposed online – and the leaks include video programs

Psychiatry and treatment sessions for thousands of patients, including ‘telehealth’ audio and video and even driving licences, have gone online.

More than 1.7 million records, containing an estimated 5.3 terabytes of mental health data, have been exposed online by the health agency Confidant Health.

An Austin-based firm – which promises to build the ​​next generation of virtual care for those seeking addiction treatment and other behavioral therapies – has left its patients’ confidential information exposed in ‘password protected database.’

The massive leak comes amid a summer of serious leaks, including July’s Independence Day ‘RockYou2024,’ which exposed an astonishing 10 billion passwords to cybercriminals, and a massive breach of US social security numbers.

Since its launch in 2018, the Confidant Health app, available on iOS and Android, has been downloaded over 10,000 times on the Google Play Store.

The company currently provides medical services to patients in Connecticut, New Hampshire, Virginia, Texas and Florida.

Jeremiah Fowler, the cybersecurity researcher who discovered the shocking breach of patient privacy, said the audio and video files contained ‘some heartbreaking, heartbreaking family, personal trauma.’

‘It’s almost like having your deepest secrets told in your diary,’ Fowler continued. They’re things you never want to get out of.’

For reasons of professional ethics, Fowler said he did not download any confidential medical information. He also didn’t try to access password-protected networks, but noted that a dedicated hacker would make short work of it.

‘Cyber ​​criminals have many tools at their disposal including brute force attacks and social engineering attempts that may result in unauthorized access to those protected files and documents,’ the researcher said. explained.

Fowler reported that he observed publicly available patient documents that were apparently psychotherapy notes, reviews that detailed medical professional opinions about patients’ mental health, substance abuse drugs, family issues, mental health history and more.

But that private medical data was only one part of the breach: many other files also included records kept for administrative and authentication purposes, such as driver’s licenses, ID cards government issued and insurance cards.

According to Fowler, the million-plus leaked screenshots showed that some of the above data was collected by Confident Health’s chatbots and artificial intelligence, features the company does not yet own. presented long in the newspaper.

‘A data-centric environment like the one we’re building helps improve AI [artificial intelligence] to make predictions,” Confident co-founder Sam Arsenault Wilson said in a 2022 interview.

He said: ‘That’s where we’re headed once the data gets to the right scale.

The leak also included drug tests, including some containing a patient’s Personally Identifiable Information (PII) and their positive drug test results — in one case for marijuana and alcohol.

Under the US Health Insurance Portability and Accountability Act (HIPAA), medical professionals, companies and organizations must take comprehensive measures to maintain the confidentiality of their clients’ Protected Health Information (PHI).

PHI often overlaps with this same set of PII data, which is protected across many industries and government agencies.

‘In a random sample I checked,’ Fowler said in his report for the security site vpnMentor, “open and publicly available files. […] contained what could be considered a very serious threat to the privacy and PII of those individuals.’

Fowler said he reviewed about 1,000 files to determine the extent of the risk of exposure and better understand how it happened so he could properly warn the company, he added. saying: ‘I was only able to view using a web browser.’

An exposed database containing password-protected and unlocked data files, or any files at all, is not unusual, according to Fowler.

“Public access to the documents was restricted within hours” of his direct message to Confident notifying them of the breach of patient confidentiality, Fowler said.

DailyMail.com reached out to Confidant Health co-founder Jon Read at two email addresses for comment, but Read has not yet responded.

But, speaking to WIRED magazine earlier, the company’s co-founder said he “takes[s] subject of a provocative nature’ of Fowler’s published research.

After confirming Fowler’s report that exposure was blocked shortly after the company was notified, Bala told WIRED that ‘at that time’ only ‘a small group of files (less than of 1 percent of all files), can be freely accessed.’

‘These files included documents, such as faxes, as well as artificial intelligence training material.’

‘No malicious actors have ever had access to patient records,’ Bala continued, adding that ‘there are no external chatbots or AI interacting with this data.’

Bala confirmed that Confident Health has conducted its own internal security audit along with contracted external experts to ensure the safety of its patients’ data.

He said the company’s policies have been updated to prevent future exposure.

The firm also alerted its customers to this question: ‘When we were informed about the inappropriate configuration by a third-party security researcher,’ Bala said, ‘several patient reports were found. by data protection staff.’

‘Those patients have been informed that their information has been accessed by non-clinical staff,’ according to the co-founder.