Therapy Sessions Exposed by Mental Health Care Firm’s Unsecured Database

Video and audio of therapy sessions, transcripts, and other patient records were accidentally exposed in a publicly accessible database operated by the virtual medical company Confidant Health.

Within the 5.3 terabytes of [exposed data](https://www.wired.com/story/wired-guide-to-data-breaches/) were extremely personal details about patients that go beyond personal therapy sessions. Files seen by security researcher Jeremiah Fowler included multiple-page reports of people’s psychiatry intake notes and details of the medical histories. “At the bottom of some of the documents it said ‘confidential health data,’” Fowler says.

Ransomware groups have [increasingly targeted medical organizations](https://www.wired.com/story/change-healthcare-22-million-payment-ransomware-spike/), disrupting people’s care [while in hospitals](https://www.wired.com/story/ransomware-health-care-assurance-letters/) and trying to [extort health care providers](https://www.wired.com/story/change-healthcare-ransomhub-threat/) multiple times, while health records are frequently sold on cybercrime forums. The risks can be particularly devastating with stolen sensitive personal information: At the start of 2020, [Finnish psychotherapy company Vastaamo was hacked](https://www.wired.com/story/vastaamo-psychotherapy-patients-hack-data-breach/), with those behind the attack leaking people’s therapy information online and demanding they pay ransoms to get data deleted.

Full story here: [https://www.wired.com/story/confidant-health-therapy-records-database-exposure/](https://www.wired.com/story/confidant-health-therapy-records-database-exposure/)

Uhhh that’s absolutely horrific.

Why tf did they need to save these files in the first place.