An AWS S3 storage bucket owned by Sunshine Behavioral Health, LLC, a San Juan Capistrano, CA-based organization of drug and alcohol addiction rehabilitation centers, has been misconfigured, leading to the exposure of sensitive patient information.
The misconfigured AWS S3 bucket was first reported to databreaches.net in August 2019. Sunshine Behavioral Health was contacted and the bucket was secured; however, the data exposure does not seem to have been reported to the HHS’ Office for Civil Rights, no breach report has been published on the California Attorney General’s website, and no mention of the breach on the Sunshine Behavioral Health website, even though it has been more than 60 days since Sunshine Behavioral Health identified the breach.
Dissent of databreaches.net followed up on the breach in November and saw that files were still exposed. The URLs of the PDF files in the bucket were still openly accessible and could be viewed without the requirement for a password. If the URLs had been obtained while the bucket was exposed, the PDF files could have been accessed and installed. Overall, 93,000 patient files were held in the S3 bucket.
According to Dissent, the files did not relate to 93,000 patients. Some patients had many files and some of the files appeared to contain test data or were templates. Additional contact was made with Sunshine Behavioral Health, but no reply was received, although the email was viewed as the URLs are no longer accessible.
It is not known how many patients have been affected, how long the files were exposed online, and whether they were viewed or obtained by unauthorized individuals during that time. The files were mainly billing records, some of which included full names, birth dates, email addresses, postal addresses, telephone numbers, compelte credit card numbers, partial expiry dates, full CVV codes, and health insurance data.