More than 1.7 million therapy logs for American patients are exposed online – and leak includes video sessions

Psychological profiles and therapy sessions of thousands of patients, including audio and video of ‘telecare’ and even driver’s licenses, have been leaked to the public web.

More than 1.7 million activity logs, containing an estimated 5.3 terabytes of mental health data, were made public online by the startup Confidant Health.

The Austin company, which promised to build “the next generation of virtual care” for people seeking addiction treatment and other behavioral therapies, had exposed its patients’ confidential information through a “non-password-protected database.”

This serious breach of privacy comes amid a summer of catastrophic breaches, including the “RockYou2024” Independence Day event in July, which exposed as many as 10 billion passwords to cybercriminals, and a massive breach of U.S. Social Security numbers.

Since its launch in 2018, the Confidant Health app, available for iOS and Android, has been downloaded more than 10,000 times from the Google Play Store.

The company currently provides clinical services to patients in Connecticut, New Hampshire, Virginia, Texas and Florida.

Jeremiah Fowler, the cybersecurity researcher who discovered the shocking breach of patient privacy, said the audio and video files contained “gut-wrenching, really painful family trauma and personal trauma.”

“It’s almost like your deepest, darkest secrets that you’ve told in your diary are being revealed,” Fowler continued. “These are things that you never want to reveal.”

For reasons of professional ethics, Fowler said he did not download any of the private medical information. He also did not attempt to access the password-protected databases, but noted that a dedicated hacker could make short work of it.

“Cybercriminals have a range of tools at their disposal, including brute force attacks and social engineering attempts that can potentially lead to unauthorized access to protected files and documents,” the researcher explains.

Fowler indicated that he had seen publicly visible patient records. They were clearly psychotherapy intake notes, assessments detailing medical professionals’ opinions about the patient’s mental health, substance abuse, family issues, psychiatric history, and more.

But that personal health data was just one aspect of the breach: Many other files also contained data stored for administrative and verification purposes, such as driver’s licenses, state ID cards and insurance cards.

According to Fowler, the more than 1 million logs in the breach indicate that some of the above data was collected by Confident Health’s own chatbots and artificial intelligence, features the company has long touted in the press.

‘A data-centric environment like the one we are building lends itself to leveraging AI [artificial intelligence] “To make predictive suggestions,” Confident co-founder Sam Arsenault Wilson said in a 2022 interview.

“That’s the direction we’re going to go once the data gets to the right size,” she said.

The leak also included drug tests, including some containing a patient’s personally identifiable information (PII) and their positive drug test results — in one case marijuana and alcohol.

Under the U.S. Health Insurance Portability and Accountability Act (HIPAA), medical professionals, businesses, and organizations must take detailed measures to protect their health. the privacy of their clients’ protected health information (PHI).

PHI often overlaps with this similar class of PII data, which is protected by numerous industries and government agencies.

“In a random sample that I examined,” Fowler noted in his report for the security site vpnMentor‘the public and publicly accessible files […] contained what could be considered a very serious potential risk to the personal privacy and PII of those individuals.’

Fowler said he reviewed about 1,000 files to verify the extent of the exposure risk and to better understand how the error could have occurred so he could more accurately alert the company. He added: “I could only view the files using a web browser.”

According to Fowler, an exposed database with both password-protected and unlocked patient data files, or any files at all, is unusual.

“Public access to the documents was restricted within hours of his own direct message to Confident alerting them to the patient’s privacy breach,” Fowler said.

DailyMail.com has reached out to Jon Read, co-founder of Confidant Health, for comment via two email addresses, but Read has not yet responded.

But in an earlier interview with WIRED magazine, the company’s co-founder said he “[s] problem with the sensational nature of Fowler’s published findings.

After confirming Fowler’s own report that exposure was contained shortly after the company was notified, Read said WIRED that ‘during that time’ only ‘a small portion of the files (less than 1 percent of the total number of files) were publicly accessible.’

‘These files contain documents, such as faxes, but also synthetic training data.’

“There have been no malicious individuals who have accessed the patient records,” Read continued, adding that “there have been no external chatbots or AI interacting with this data.”

Read stated that Confident Health had conducted its own internal security audit, along with hired outside experts, to confirm the security of patient data.

The company’s policies have been adjusted to prevent future exposure, he said.

The company also alerted its customers to the investigation: “When we were notified of the misconfiguration by a third-party security researcher,” Read said, “multiple patient records were accessed by data security personnel.”

“Those patients have been informed that their data has been accessed by non-clinical staff,” the co-founder said.