More than 1.7 million activity logs including psychological profiles and therapy sessions for thousands of patients, including "telehealth" audio and video files, were included in the leak, as were patient driver's licenses.
Since first getting off the ground in 2018, Confidant has been promising to build "the next-generation of virtual care" for mental health patients seeking treatment for addictions and behavioral problems. Instead, Confidant botched the security of its confidential patient files by storing them in a "non-password-protected database."
Confidant currently offers clinical services to patients in Connecticut, Florida, New Hampshire, Virginia and Texas. The Confidant Health app is available on both the iOS (Apple) and Android (Google) platforms, having been downloaded some 10,000 times in the Google Play Store.
(Related: Did you know that "nearly all" AT&T customers were hacked in a data breach earlier this summer?)
People's deepest, darkest secrets shared with the world
Cybersecurity expert Jeremiah Fowler is credited with discovering the leak. He commented that the patient audio and video files contain "some heartbreaking, really painful family trauma, personal trauma."
"It's almost like having your deepest, darkest secrets that you've told your diary revealed," he added. "It's things that you never want to get out."
As a show of respect for professional ethics, Fowler chose not to download any of the private medical information. He also did not attempt to access the password-protected databases, though he did say that a dedicated hacker could easily break in if he or she was so inclined.
"Cyber criminals have a range of tools at their disposal including brute force attacks and social engineering attempts that could potentially result in unauthorized access to those protected files and documents," Fowler further said.
What Fowler did observe as part of his investigation was a trove of publicly visible patient documents that are clearly labeled as things like psychotherapy intake notes and professional assessments on individual patient health. There are also documents outlining patient histories of mental health, substance abuse, family issues, psychiatric history and other problems.
There were also many other files included in the leak such as administrative documents and verification records, i.e., state-issued identification and insurance cards. Other files include drug tests, some with Personally Identifiable Information (PII), that show positive results for substances like cannabis and alcohol.
Much of the leaked data had been collected by Confidant's proprietary chatbots and artificial intelligence (AI), meaning robots rather than humans were in charge of it. Confidant has long bragged about its advanced chatbots and AI programs, which the company claims are pros rather than cons.
"A data-centric environment like the one we are constructing lends itself to leveraging AI to make predictive suggestions," said Confidant's co-founder Sam Arsenault Wilson in a 2022 interview. "That's where we're headed once the data reaches proper scale."
In a report he compiled for the security website vpnMentor, Fowler noted that in a random sampling of data he reviewed, the open and publicly accessible files "contained what could be considered a very serious potential risk to the personal privacy and PII of those individuals."
Of the approximately 1,000 files he personally reviewed to better understand how the data breach occurred in the first place, Fowler revealed that he "was able to view using only a web browser," meaning anyone can access the leaked files without any understanding of hacking.
Fowler made note of the fact that maintaining an exposed database of documents without password protection like Confidant has been doing is highly unusual, especially in the healthcare industry.
More related news coverage can be found at CyberWar.news.
Sources for this article include:
Please contact us for more information.
