Breach, Compliance Management, Data Security, Privacy

Open database exposes 93K files on patients of substance abuse facilities

A misconfigured AWS s3 storage bucket reportedly exposed roughly 93,000 billing files that contain information on patients of three drug and alcohol addiction facilities operated by San Juan Capistrano, California-based Sunshine Behavioral Health, LLC.

Patients at SBH's Monarch Shores location in San Juan Capistrano; Chapters Capistrano facility in San Clemente, Calif.; and Willow Springs Recovery center in Bastrop, Texas, had their data left open and accessible, reported today in a blog post. Although 93,000 files (in some cases templates or test data) were found out in the open, an undetermined smaller number patients were affected, as patients typically had multiple files associated with them.

Exposed data in some cases consists of names, birth dates, physical and email addresses, phone numbers, full payment card numbers with partial expiration dates and a full CVV code and health insurance information, including membership and account numbers, insurance benefits statements and amounts due and paid.

According to the blog post, an unidentified individual discovered the open database last August and subsequently informed, which in turn alerted a Sunshine Behavioral Health employee on Sept. 4. By the next day, reportedly nothing had changed, so called back and spoke with the substance abuse treatment provider's director of compliance, Stephen VanHooser. Shortly thereafter, the database was made private.

However, in turned out the data was reportedly still not secure. Per the blog post, discovered in November that "the files were still accessible without any password required if you knew where to look. And anyone who had downloaded the URLs of the files in the bucket while the bucket was exposed would know where to look." reportedly reached out again to SBH on Nov. 10 and Nov. 12 and soon after the files were further secured. also reports that it has found no indication that SBH has disclosed the data leak to the public. "[T]here has been nothing on their website, the California Attorney General's website, or HHS's public breach tool, even though it is more than 70 days since they were first notified," the blog post states. It is possible patients were privately notified.

SC Media reached out to Sunshine Behavioral Health and left a message seeking comment.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.