Data on 150,000 patients exposed in another misconfigured AWS bucket
Kromtech Security researchers have discovered yet another unsecured Amazon S3 bucket. This time, the cloud server in question was linked to HIPAA-covered entity, Patient Home Monitoring, a vendor that provides U.S. patients with disease management services and in-home monitoring.
The misconfigured server contained the lab results and other patient files of about 150,000 patients. The files were stored on a publicly accessible bucket that was left unprotected by a password, according to researchers.
In total, the breach contained 47.5 GBs of data comprised of about 316,000 PDF files, which contained patient names, addresses, phone numbers, diagnoses and test results. The files also contained physician names, case management notes and other patient information.
“Anyone with an internet connection could access these confidential records,” said Alex Kernishniuk, vice president of Strategic Alliances for Kromtech, in a statement.
Kromtech researchers first discovered the breach on Sept. 29, and PHM was notified on Oct. 5. The company secured the server on the same day. However, the company did not respond to Kromtech’s inquiries.
“It is unclear how they will notify their clients and inform them that their confidential data has been leaked online,” the researchers wrote. “Dealing with any form of medical data is risky and it is required by law to notify affected patients of a data breach.”
“This is yet another wake-up call for companies who try to bridge the gap between healthcare and technology to make sure cybersecurity is also a part of their business model,” said Kernishniuk. “Even the most basic security measures would have prevented this data breach.”
Kernishniuk said he believes this won’t be the last AWS breach. In fact, this latest breach is the second major AWS server breach announced this week. Accenture left four of its AWS buckets unprotected due to a misconfiguration error, exposing hundreds of gigabytes of data.
In 2017 alone, a wide range of breaches were caused by misconfigured online databases. Verizon recently notified 14 million customers that their personal data was exposed online. Other high profile companies and health systems have also accidently breached data by failing to secure data stored in the cloud.