Skip to Content
rehab addiction medical records data breach
Security & privacy

Medical data of patients leaked in new breach

Data breaches come in all shapes and sizes and what’s worse, they’re much more commonplace than ever before. While they’re all inherently bad, what varies is the severity of the exposure and the impact it could have on you.

You could have a breach involving millions of records, but if it’s just a bunch of email addresses, that’s a manageable issue.

There are also those breaches that affect a smaller group of people, but the number doesn’t matter if that exposed data is full of your most sensitive information — like medical records.

Sometimes the word “sensitive” doesn’t do a situation justice, and these aren’t just basic medical details that were out in the open. The latest breach involves the personal medical info of patients receiving treatment for addiction.

Rehab records left unprotected

You might think you’re the most careful person when it comes to protecting your own sensitive information. But as we’ve seen time and time again, sometimes it’s just out of your control.

In yet another instance of an online database that was left unsecured, the records for tens of thousands of people were found to be potentially vulnerable to being exposed. And these records involved patients who were seeking treatment at addiction rehabilitation centers from mid 2016 to late 2018.

Independent researcher Justin Paine discovered the database last month. He said it contained nearly 5 million documents involving what he estimates at about 145,000 patients. Those records included names along with other specific details including the types of treatment they received, treatment dates and how much they cost.

Paine wrote that the records involved patients from Steps to Recovery in Levittown, Penn., and the Ohio Addiction Recovery Center in Columbus, Ohio. After his discovery, he reached out to the website hosting company and that database has since been taken down.

We reached out to both treatment centers named in the story. A representative from Steps To Recovery issued the following statement:

Privacy is an important element to addiction recovery, and safeguarding our patients’ personal health information is one of our highest priorities. We are aware of a blog post that claims our patients’ information was previously accessible online. At this time, we have no indication that any of our databases or systems were exposed, and we have engaged a third-party forensics consultant to conduct an investigation which is ongoing. 

It is important to note that the number of patient records cited in the original blog post vastly exceeds the total number of patients treated over the lifetime of the company which, along with other factual claims made in the blog post, suggest that Steps to Recovery is not the origin of the purported data exposure. We take this matter seriously. We are unable to provide further comment on this potential legal matter at this time.”

Steps to take when your data is exposed

This certainly isn’t the only potential data breach involving medical records. There have already been at least two over the past couple of months, one involving a medical software company and the other a company that develops and markets medical devices and software.

It’s important to note that Paine found this data himself, not because an actual breach occurred. The point with these types of stories is if white-hat hackers don’t find weaknesses first, cybercriminals could. There are steps to take in these situations, whether you’re sure your information has been exposed or if you just suspect it.




To check if your email addresses or passwords have been compromised, check out Have I Been Pwned. You can also check your passwords through Google’s Chrome browser, just make sure to enable the option first. On the subject of passwords, make sure you’re using one that’s unique and hard to crack. We’ve got those tips here.

If any of your accounts offer two-factor authentication (2FA), it would be wise enable the feature. Learn more about that by tapping or clicking here.

Be sure to watch out for phishing scams because once some of your data’s out there, crooks are going to go after more. There’s even a handy test to find out if you can spot a fake email.

Stop robocalls once and for all

Robocalls are not only annoying, but they scam Americans out of millions every year. Learn Kim's tricks for stopping them for good in this handy guide.

Get the eBook