Another day, another leak. In this case, an wrongdoing exposed some personal and financial information of patients treated for alcohol or drug addiction. Sunshine Behavioral Health, LLC is a private network of drug and intoxicant addiction treatment facilities with locations in California, Texas, and Colorado. At some time as yet unknown to DataBreaches.net, approximately 93,000 patient files related to billings for patients at their Monarch Shore, Chapters Capistrano, and Willow Springs recovery facilities were exposed online due to a misconfiguration of an Amazaon AWS s3 bucket. DataBreaches.net notes that the approximately 93,000 files did not represent 90,000 unique patients, as for many patients, there was more than ace file, and not all files were actual files (some appeared to live templates or test data). The leak was discovered in august by someone who shared the exposed data with DataBreaches.net. After verifying that the data were exposed, this blogger called cheerfulness Behavioral health on sep 4 to alert them to the exposed data. The employee who took the call said he understood that he needed to clear along the message immediately to their infosecurity people, but the files were still unsecured the next day. So DataBreaches.net called them again. This time, i was told that the employee I had spoken with the previous day was not there at the time, and i was asked to phone back. i may or may not have hollered at that point, but i did tell the employee who had answered the phone that I wouldn’t phone back again, and they needed to hold someone in burden of patient privacy or data surety call me rear promptly. Stephen VanHooser, their director of Compliance, returned my call. He claimed he knew cypher about my phone call to them the previous day, so I experience no idea what the first employee did, if anything. But after I spoke with VanHooser, access to the bucket was disabled. cheerfulness Behavioral never got endorse to me to tell me the results of any investigation or what they were doing in response to the incident. And there has been nothing on their website, the california attorney General’s website, or HHS’s public breach tool, even thought it is more than 70 days since they were first notified or discovered the exposure. Did cheerfulness Behavioral health ever notify HHS OCR or any patients or state regulators? Did they investigate and ascertain that notification was not required? make they cognize how many people might be in possession of a copy of all those files? DataBreaches.net does not know the reply to those questions. But in trying to come up to control what they had done, i realized that the files were still accessible without any password required if you knew where to look. And anyone who had downloaded the urls of the files in the bucket while the bucket was exposed would know where to look (I realize this is true for these situations in general and it is not unique to cheerfulness Behavioral Health). On November 10, i sent VanHooser an email notification that the files were still not secure. i also asked what Sunshine had found after they investigated my september 4 notification and i asked whether they had notified any regulators or patients. getting no answer at all, i sent a sec email to him on November 12. He has not responded, but it appears access to the files has been disabled. So what was in the unencrypted files? They generally did not contain treatment or medical history records, although a few doh contain diagnostic codes, handling codes, or reference to “detox.” For the most part, though, they were billing statements or agreement concerning unpaid bills for some patients treated between 2016 and this year. The screenshots above demo two of a number of types of files in the exposed bucket. Files revealed the following kinds of patient information: full name engagement of birth postal and email addresses telephone numbers full credit card numbers with partial expiry dates (month/day) and full CVV code health insurance membership number, account number, statements concerning indemnity benefits, and amounts due and paid. Not all patients had all of those data types exposed. Because Sunshine Behavioral health did not answer to queries, DataBreaches.net sent inquiries to some patients whose data was exposed to expect if they were ever notified of the exposure incident. so far, out of the small sample of patients, none of the emails have bounced back, but none of the patients hold responded. This stake may be updated if more information is obtained. DataBreaches.net has not yet decided whether to story this incident to HHS OCR, but is reporting it here because Sunshine Behavioral Health has neither posted anything on their site nor informed this site whether they have made notifications to patients and/or regulators.