Misconfigured ElasticSearch database exposes 4.9 million sensitive documents of ‘Steps To Recovery’ treatment center

• The misconfigured ElasticSearch database contained 1.45GB of data.
• Roughly 146,316 patients are estimated to be impacted by the incident.

‘Steps To Recovery’, a treatment center located in Levittown, Pennsylvania, has exposed about 4.9 million Personally Identifiable Information (PII) of its patients due to an unprotected ElasticSearch database. The leaky database contained medical information of around hundreds of thousands of patients.

What happened - An independent security researcher who goes by the pseudonym ‘xxdesmus’, revealed that the misconfigured ElasticSearch database contained 1.45GB of data. It included two indexes, containing 4.91 million documents.

The two indexes are tracked as - ‘infcharges’ and ‘infpayments’. While ‘infcharges’ contained 2.74 million documents, ‘infpayments’ had 2.17 million documents.

The researchers noted that the database included sensitive data of roughly 146,316 unique patients.

What could be the impact - Although there is no evidence of any misuse of information, researcher ‘xxdesmus’ claim that the leaked data can be a valuable target for hackers. The threat actors can use the stolen data to receive treatments and medicines.

“Based on the patient name it was simple to locate all medical procedures a specific person received, when they received those procedures, how much they were billed, and at which specific facility they received treatment,” said the researcher in a blog post.

Type of information exposed - The information exposed in the unsecured database includes patients’ age, birthdates, current addresses, past addresses, and email addresses. It also had the name of the patient’s family members, political affiliation and phone numbers.

What has been done - The researcher has informed the medical center about the breach. The healthcare center is yet to notify the affected individuals. Meanwhile, the unprotected database has been secured and is no longer available to the public.