Open Database Exposes 93M Files On Substance Abuse Patients

A misconfigured AWS s3 storage bucket reportedly exposed roughly 93 million billing files that contain information on patients of three drug and alcohol addiction facilities operated by San Juan Capistrano, California-based Sunshine Behavioral Health, LLC.

Patients at SBH’s Monarch Shores location in San Juan Capistrano; Chapters Capistrano facility in San Clemente, Calif.; and Willow Springs Recovery center in Bastrop, Texas had their data left open and accessible, reported today in a blog post. Although 93 million files (in some cases templates or test data) were found out in the open, an undetermined smaller number patients were affected, as patients typically had multiple files associated with them.

Exposed data in some cases consists of names, birth dates, physical and email addresses, phone numbers, full payment card numbers with partial expiration dates and a full CVV code and health insurance information, including membership and account numbers, insurance benefits statements and amounts due and paid.

According to the blog post, an unidentified individual discovered the open database last August and subsequently informed, which in turn alerted a Sunshine Behavioral Health employee on Sept. 4. By the next day, reportedly nothing had changed, so called back and spoke with the substance abuse treatment provider’s director of compliance, Stephen VanHooser. Shortly thereafter, the database was made private.

However, in turned out the data was reportedly still not secure. Per the blog post, discovered in November that “the files were still accessible without any password required if you knew where to look. And anyone who had downloaded the URLs of the files in the bucket while the bucket was exposed would know where to look.” reportedly reached out again to SBH on Nov. 10 and 12 and soon after the files were further secured. also reports that it has found no indication that SBH has disclosed the data leak to the public. “[T]here has been nothing on their website, the California Attorney General’s website, or HHS’s public breach tool, even though it is more than 70 days since they were first notified,” the blog post states. It is possible patients were privately notified.

SC Media reached out to Sunshine Behavioral Health and left a message seeking comment.