In a significant data security incident, Confidant Health, a Texas-based AI healthcare platform, inadvertently exposed 5.3 terabytes of sensitive mental health records due to a misconfigured server that left a significant amount of data unprotected.
Cybersecurity researcher Jeremiah Fowler discovered the non-password-protected server, which contained over 126,276 files and 1.7 million logging records. The exposed data included personal identifying information, detailed mental health assessments, medical records, and even audio and video recordings of therapy sessions.
The leak potentially affects thousands of patients across multiple states where Confidant Health operates, including Connecticut, Florida, New Hampshire, Texas, and Virginia. “Not every document in the database was exposed, and a portion of the files were restricted and not publicly viewable,” Fowler noted. “However, even if the data in these restricted files cannot be viewed, there is a potential risk of malicious actors knowing the file paths and storage locations of additional patient data.”
While Confidant Health has acknowledged the data leak and restricted access, the duration of the exposure and the extent of unauthorized access remain unknown. This incident underscores the critical importance of robust data security measures in the rapidly growing telehealth industry. As cybersecurity experts warn, such breaches can lead to severe consequences for patients, including identity theft, medical fraud, and potential blackmail. The incident serves as a stark reminder for healthcare providers to prioritize patient privacy and data security in an increasingly digital healthcare landscape.