Hack Notice

Hack Notice: Exclusive: More than 90,000 patient billing files from an alcohol and drug addiction treatment network exposed online

Exclusive: More than 90,000 patient billing files from an alcohol and drug addiction treatment network exposed online

Source
https://www.databreaches.net/exclusive-more-than-90000-patient-billing-files-from-an-alcohol-and-drug-addiction-treatment-network-exposed-online/
Description
Another day, another leak. In this case, an wrongdoing exposed some personal and financial information of patients treated for alcohol or drug addiction. Sunshine Behavioral Health, LLC is a private network of drug and intoxicant addiction treatment facilities with locations in California, Texas, and Colorado. At some time as yet unknown to DataBreaches.net, approximately 93,000 patient files related to billings for patients at their Monarch Shore, Chapters Capistrano, and Willow Springs recovery facilities were exposed online due to a misconfiguration of an Amazaon AWS s3 bucket. DataBreaches.net notes that the approximately 93,000 files did not represent 90,000 unique patients, as for many patients, there was more than ace file, and not all files were actual files (some appeared to live templates or test data). The leak was discovered in august by someone who shared the exposed data with DataBreaches.net. After verifying that the data were exposed, this blogger called cheerfulness Behavioral health on sep 4 to alert them to the exposed data. The employee who took the call said he understood that he needed to clear along the message immediately to their infosecurity people, but the files were still unsecured the next day. So DataBreaches.net called them again. This time, i was told that the employee I had spoken with the previous day was not there at the time, and i was asked to phone back. i may or may not have hollered at that point, but i did tell the employee who had answered the phone that I wouldn’t phone back again, and they needed to hold someone in burden of patient privacy or data surety call me rear promptly. Stephen VanHooser, their director of Compliance, returned my call. He claimed he knew cypher about my phone call to them the previous day, so I experience no idea what the first employee did, if anything. But after I spoke with VanHooser, access to the bucket was disabled. cheerfulness Behavioral never got endorse to me to tell me the results of any investigation or what they were doing in response to the incident. And there has been nothing on their website, the california attorney General’s website, or HHS’s public breach tool, even thought it is more than 70 days since they were first notified or discovered the exposure. Did cheerfulness Behavioral health ever notify HHS OCR or any patients or state regulators? Did they investigate and ascertain that notification was not required? make they cognize how many people might be in possession of a copy of all those files? DataBreaches.net does not know the reply to those questions. But in trying to come up to control what they had done, i realized that the files were still accessible without any password required if you knew where to look. And anyone who had downloaded the urls of the files in the bucket while the bucket was exposed would know where to look (I realize this is true for these situations in general and it is not unique to cheerfulness Behavioral Health). On November 10, i sent VanHooser an email notification that the files were still not secure. i also asked what Sunshine had found after they investigated my september 4 notification and i asked whether they had notified any regulators or patients. getting no answer at all, i sent a sec email to him on November 12. He has not responded, but it appears access to the files has been disabled. So what was in the unencrypted files? They generally did not contain treatment or medical history records, although a few doh contain diagnostic codes, handling codes, or reference to “detox.” For the most part, though, they were billing statements or agreement concerning unpaid bills for some patients treated between 2016 and this year. The screenshots above demo two of a number of types of files in the exposed bucket. Files revealed the following kinds of patient information: full name engagement of birth postal and email addresses telephone numbers full credit card numbers with partial expiry dates (month/day) and full CVV code health insurance membership number, account number, statements concerning indemnity benefits, and amounts due and paid. Not all patients had all of those data types exposed. Because Sunshine Behavioral health did not answer to queries, DataBreaches.net sent inquiries to some patients whose data was exposed to expect if they were ever notified of the exposure incident. so far, out of the small sample of patients, none of the emails have bounced back, but none of the patients hold responded. This stake may be updated if more information is obtained. DataBreaches.net has not yet decided whether to story this incident to HHS OCR, but is reporting it here because Sunshine Behavioral Health has neither posted anything on their site nor informed this site whether they have made notifications to patients and/or regulators.

About HackNotice and Exclusive: More than 90,000 patient billing files from an alcohol and drug addiction treatment network exposed online

HackNotice is a service that notices trends and patterns in publically available data so as to identify possible data breaches, leaks, hacks, and other data incidents on behalf of our clients. HackNotice monitors data streams related to breaches, leaks, and hacks and Exclusive: More than 90,000 patient billing files from an alcohol and drug addiction treatment network exposed online was reported by one of those streams. HackNotice may also have the breach date, hack date, the hacker responsible, the hacked industry, the hacked location, and any other parts of the hack, breach, or leak that HackNotice can report on for the consumers of our product.

If you are a user of Exclusive: More than 90,000 patient billing files from an alcohol and drug addiction treatment network exposed online their products, services, websites, or applications and you were a client of HackNotice, monitoring for Exclusive: More than 90,000 patient billing files from an alcohol and drug addiction treatment network exposed online you may have been alerted to this report about Exclusive: More than 90,000 patient billing files from an alcohol and drug addiction treatment network exposed online . HackNotice is a service that provides data, information, and monitoring that helps our clients recover from and remediate data breaches, hacks, and leaks of their personal information. HackNotice provides a service that helps our clients know what to do about a hack, breach, or leak of their information.

If Exclusive: More than 90,000 patient billing files from an alcohol and drug addiction treatment network exposed online had a breach of consumer data or a data leak, then there may be additional actions that our clients should make to protect their digital identity. Data breaches, hacks, and leaks often top to and cause identicalness theft, account read overs, ransomware, spyware, extortion, and malware. account takeovers are often caused by credential reuse, password reuse, easily guessed passwords, and are facilitated by the sharing of billions of credentials and other customer information through data leaks, as the direct result of data breaches and hacks.

HackNotice monitors trends in publically available data that indicates tens of thousands of data breaches each year, along with billions of records from data leaks each year. On behalf of our clients, HackNotice works to monitor for hacks that lede to lower client surety and digital identities that make been exposed and should be considered vulnerable to attack. HackNotice works with clients to identify the extent that digital identities have been exposed and provides remediation suggestions for how to handle each type of exposure.

HackNotice monitors the hacker community, which is a network of individuals that portion data breaches, hacks, leaks, malware, spyware, ransomware, and many other tools that are often used for financial fraud, account submit overs, and further breaches and hacks. HackNotice monitors the hacker community specifically for breaches, hacks, and data leaks that injure consumers. HackNotice applies industry specific knowledge and advanced security practices to monitor for trends that indicate breaches, hacks, and exposed digital identities.

HackNotice also enables clients to share hack notices with their friend, family, and collogues to help increase cognisance around alleged hacks, breaches, or data leaks. HackNotice works to provide clients with sharable reports to help increase the surety of our clients personal network. The certificate of the people that our clients interact with directly impacts the layer of security of our clients. Increased exposure to accounts that make been taken over by hackers leads to further account take overs through phishing, malware, and other impound techniques.

If you found this jade notice to be helpful, then you may be interested in reading some additional plug notices such as:

resumably 2014 and 2015), according to a Ponemon study. in health care, more than 25 mion that you can protect your margin is falling by the wayside & espial is now critical. is notoriously difficult to obtain information on direct and indirect value loss resulting from a da

Singtel, Ninja Van fined by privacy watchdog over separate data hacks - The Business Times

IL: Rockford Public Schools release details about ransomware attack

Scottish Widows in 'data hack' over wrong letters - FT Adviser