Unsecured Amazon S3 Bucket Leads to Breach of Medical Records and Test Results

by | Oct 19, 2017

Another unsecured Amazon S3 bucket used by a HIPAA-covered entity has been found by Kromtech Security. The unsecured bucket was storing contained 47.5GB of medical details relating to around 150,000 people.

The medical details contained in the files included blood test results, physician’s names, case management notes and the personal data of patients including their names, addresses and telephone numbers. The Kromtech Seucrity researchers said many of the stored documents were PDF files, holding information on multiple patients that were having weekly blood tests.

Overall, around 316,000 PDF files were accessible. The tests had been carried out at patient’s homes, as requested by physicians, by Patient Home Monitoring Corporation. Kromtech said the data could be accessed without a password being requested. Any individual with an Internet connection, that knew where to search, could have accessed all 316,000 files. Whether any unauthorized people viewed or downloaded the files is not yet eveident. The researchers could not tell how long the Amazon S3 bucket had remained accessible.

The unsecured Amazon S3 bucket was located by Kromtech staff on September 29. It took some time to identify  and contact the company involved. They were located on October 5 and a notification was issued. While no response was issued, by the next day, all data was made safe and files could no longer be accessed online without proper authentication.

The cloud offers healthcare groups cost effective and convenient data storage services. Provided only HIPAA-compliant cloud platforms are used and a business associate agreement is completed before the cloud is used to store ePHI, HIPAA allows utilization of the cloud. However, having a BAA does not ensure that a service will be HIPAA compliant. The work methods of users can still lead to HIPAA violations and the exposure of sensitive information.

The failure to adopt proper security controls to prevent cloud-stored data from being accessed by unauthorized individuals is an easy error to make, but one that can have costly consequences, not only for the patients whose PHI has been exposed, but also for the covered organization or business associate.

The failure to use security measures to ensure the confidentiality, integrity, and availability of ePHI can lead to severe financial penalties from OCR and state attorneys general. A data violation can also lead to legal actions from patients seeking compensation to cover the lifelong risk of harm from the exposure of their personal data.

Errors cannot always be avoided, and sometime these will lead to in PHI being accessed, but in the case of unsecured Amazon S3 buckets, it is also simple to check for configuration mistakes. Kromtech, for instance, offers a free software – S3 Inspector – that can check whether their AWS S3 bucket permissions have been configured so as to prevent access by the public.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy