Apparently a rehab clinic located in PA has had their database of 4.9M patients names and other info compromised from a ElasticSearch database, which was left open to the internet without any authentication. This is from a Threat Post security article:
“An ElasticSearch database that was left open to the internet exposed about 4.9 million data points of personally identifiable information (PII) related to individuals seeking treatment at the Steps to Recovery addiction treatment facility in Levitttown, Pa., which is located outside of Philadelphia.
“Given the stigma that surrounds addiction, this is almost certainly not information the patients want easily accessible,” said Justin Paine, director of trust and safety at Cloudflare, writing on his personal blog on Friday.
Paine discovered that the database, which wasn’t protected by any sort of authentication, contained data collected by the treatment facility between mid-2016 to late last year.
“Based on the patient name it was simple to locate all medical procedures a specific person received, when they received those procedures, how much they were billed, and at which specific facility they received treatment,” Paine explained.
In all, there are two indexes inside the database, containing 4.91 million documents (roughly 1.45GB of data). After collating and cross-referencing a section of the information, Paine found that a single patient ID could have multiple rows of data for different medical procedures.”