Nearly 150,000 patients who sought treatment at an addiction recovery facility in Pennsylvania had their medical records exposed online. Through the public search engine Shodan, independent researcher Justin Paine found an ElasticSearch database with nearly five million rows of data. It appeared to include personally identifiable information (PII) of patients who were treated at Steps to Recovery between mid 2016 and late 2018.
Paine notified ElasticSearch, which contacted the owner of the database. The information is no longer publicly accessible, but in a blog post, Paine said to the best of his knowledge, Steps to Recovery has not reached out to the patients. While 150,000 people is a relatively small data leak by today's standards, exposing health records, especially those regarding addiction and with PII, is a serious mishap.