Around 93 Million billing files were exposed containing information of patients from drug and alcohol addiction facilities by a misconfigured AWS s3 storage bucket. These three drug and alcohol addiction facilities were operated by San Juan Capistrano, California-based Sunshine Behavioral Health, LLC namely SBH’s Monarch Shores location in San Juan Capistrano; Chapters Capistrano facility in San Clemente, Calif.; and Willow Springs Recovery center in Bastrop, Texas. Patients from these facilities had their data open and accessible and SBH was repeatedly informed by DataBreaches.net about this leak.
The exposed data consisted of billing details like individual's name, birth date, physical and email addresses, phone numbers, debit and credit details like card numbers with partial expiration dates and a full CVV code and health insurance information, including membership and account numbers and insurance benefits statements. Roughly, 93 Million files were released but comparatively fewer individuals were affected as patients had multiple files to their name. The news was covered by DataBreach.net yesterday, but they have been following the case since August.
An anonymous individual tipped DataBreach.net about the open database in late August and they informed Sunshine Behavioral Health regarding the leak on September 4th but to no avail. They then spoke to SBH's director of compliance, Stephen VanHooser and shortly the data was made private. But, unfortunately in November Databreach.net noticed that “the files were still accessible without any password required if you knew where to look.
And anyone who had downloaded the URLs of the files in the bucket while the bucket was exposed would know where to look.”, stated the post. The data and files were finally secured after they again reached out to SBH on Nov 10 and 12. Adding to that, the three-drug and alcohol addiction facilities haven't made the leak public, There has been nothing on their website, the California Attorney General’s website, or HHS’s public breach tool, even though it is more than 70 days since they were first notified,” the blog states. Maybe the affected parties were informed but not the public.