Et allez...

Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected misconfigured server containing confidential records from Confidant Health, a Texas-based AI platform offering mental health and addiction treatment services to residents of Connecticut, Florida, New Hampshire, Texas, and Virginia.

For your information, Confidant Health offers a range of services including alcohol rehab, an online suboxone clinic, pre-addiction treatment, a behaviour change program, a recovery coach, opioid withdrawal management, and medication-assisted treatment, and has a Telehealth Addiction Recovery app with over 10,000 downloads.

The database in this incident contained over 126,276 files (approx. 5.3 TB) and 1.7 million logging records, exposed sensitive information such as:

• Personal Identifying Information (PII): Names, addresses, contact details, driver’s licenses, and insurance information.
• Mental Health Assessments: Detailed evaluations of patients’ mental health conditions, family histories, and trauma experiences.
• Medical Records: Prescription medication lists, diagnostic test results, health insurance details, Medicaid cards, medical records, treatment transcripts, letters of care listing prescription medication, and medical record requests or waivers.
• Audio and Video Recordings: It also includes audio and video recordings of sessions and text transcripts, discussing deeply personal family topics, including children, parents, partners, and conflicts.