Sensitive medical records on AWS bucket found to be publicly accessible

News by Jay Jay

A large cache of sensitive medical records handled by a US-based digital records management company was found stored in an Amazon S3 storage bucket without adequate protection.

A large cache of sensitive medical records handled by a US-based digital records management company was found stored in an Amazon S3 storage bucket without adequate protection.

The storage bucket containing sensitive medical records could be accessed by anyone possessing the unique URL name associated with the bucket. According to security researchers, there are proprietary tools available in the market that can decipher unique URL names associated with Amazon S3 storage buckets.

Researchers at security firm Kromtech Security Centre were made aware of the breach in early December by an independent researcher, following which they conducted a detailed investigation to check if sensitive medical records of people were indeed compromised due to inadequate protection by those who were entrusted with the storage and safekeeping of such data.

While conducting their investigation, the researchers noted that the said medical records were stored in a large PDF file which in turn was stored in an Amazon S3 storage bucket. Using a proprietary tool, the researchers were able to obtain the unique URL name associated with the bucket, thereby bypassing AWS' data encryption. Using this technique, they were also able to copy direct links to files and folders that could be accessed via the link.

'The unfortunate part of so many patient records being exposed is that it was likely a human error and not a malicious actor or cyber-criminal,' wrote Bob Diachenko, chief communication officer at Kromtech in a blog post.

'The repositories contained a wide range of sensitive details about patients that are protected under HIPAA laws. HIPAA violations can carry large financial penalties in the event of willful neglect or purposely leaking patient information online,' he added.

Following the discovery, the researchers alerted the US-based digital records management company that handled the patient records and ensured that public access to such data was disabled. Even though they didn't go as far as naming the company, they added that the company was quick to respond to their alert and also took steps to ensure that the compromised storage bucket was no longer publicly accessible.

This isn't the first time that researchers at Kromtech have discovered unsecured Amazon S3 storage buckets that contained sensitive information of thousands of patients. In October last year, the firm had unearthed as many as 316,000 PDF files from an unsecured AWS storage bucket that contained confidential details such as blood test results, physician's names, case management notes, as well as patients' names, addresses, and telephone numbers.

According to the HIPAA Journal which offers independent advice about compliance with the Health Insurance Portability and Accountability Act of 1996, even though the failure to implement controls to prevent cloud-stored data from being accessed by unauthorised individuals is 'an easy mistake to make', it is also quite easy to check for configuration errors. Consequently there can be no excuse for firms that fail to properly secure sensitive data stored on cloud applications.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop