Files of 93,000 California Addiction Treatment Center Patients Accessible Online

Sunshine Behavioral Health, LLC’s AWS S3 storage bucket was misconfigured resulting in the exposure of sensitive patient information. This network of drug and alcohol addiction rehabilitation centers is established in San Juan Capistrano, CA.

Databreaches.net was the first to receive the report about the misconfigured AWS S3 storage bucket in August 2019. Databreaches.net got in contact with Sunshine Behavioral Health and the addiction center immediately secured the bucket. Sunshine Behavioral Health did not submit the data breach report to the HHS’ Office for Civil Rights nor mentioned the breach on its website, although over 60 days have passed since it had known about the breach. The incident was also not published on the California Attorney General’s website.

Databreaches.net analyzed the incident in November and identified some files that stayed exposed. Anyone with the PDF file URLs could view the files from the bucket without needing a password. If the URLs were obtained simultaneously with the compromise of the bucket, the PDF files URLs of 93,000 patients probably have been accessed and downloaded.

According to Dissent, the PDF files and the 93,000 patients do not match. There were a number of patients with a few files and many files come with test findings or templates. Dissent tried to contact Sunshine Behavioral Health, but there was no reply. But the treatment center has read the email because the URLs are not available anymore.

The correct number of patients impacted, the time frame of the file exposure online, and the unauthorized individuals who accessed the URLs are not known at this time. The files were primarily billing information, that contains complete names, dates of birth, postal and email addresses, telephone numbers, credit card numbers, date of expiry, CVV codes, and health insurance information.