Unsecured Amazon S3 Bucket Leads to Breach of Medical Records and Test Results

Another unsecured Amazon S3 bucket used by a HIPAA-covered entity has been found by Kromtech Security. The unsecured bucket was storing contained 47.5GB of medical details relating to around 150,000 people.

The medical details contained in the files included blood test results, physician’s names, case management notes and the personal data of patients including their names, addresses and telephone numbers. The Kromtech Seucrity researchers said many of the stored documents were PDF files, holding information on multiple patients that were having weekly blood tests.

Overall, around 316,000 PDF files were accessible. The tests had been carried out at patient’s homes, as requested by physicians, by Patient Home Monitoring Corporation. Kromtech said the data could be accessed without a password being requested. Any individual with an Internet connection, that knew where to search, could have accessed all 316,000 files. Whether any unauthorized people viewed or downloaded the files is not yet eveident. The researchers could not tell how long the Amazon S3 bucket had remained accessible.

The unsecured Amazon S3 bucket was located by Kromtech staff on September 29. It took some time to identify  and contact the company involved. They were located on October 5 and a notification was issued. While no response was issued, by the next day, all data was made safe and files could no longer be accessed online without proper authentication.

The cloud offers healthcare groups cost effective and convenient data storage services. Provided only HIPAA-compliant cloud platforms are used and a business associate agreement is completed before the cloud is used to store ePHI, HIPAA allows utilization of the cloud. However, having a BAA does not ensure that a service will be HIPAA compliant. The work methods of users can still lead to HIPAA violations and the exposure of sensitive information.

The failure to adopt proper security controls to prevent cloud-stored data from being accessed by unauthorized individuals is an easy error to make, but one that can have costly consequences, not only for the patients whose PHI has been exposed, but also for the covered organization or business associate.

The failure to use security measures to ensure the confidentiality, integrity, and availability of ePHI can lead to severe financial penalties from OCR and state attorneys general. A data violation can also lead to legal actions from patients seeking compensation to cover the lifelong risk of harm from the exposure of their personal data.

Errors cannot always be avoided, and sometime these will lead to in PHI being accessed, but in the case of unsecured Amazon S3 buckets, it is also simple to check for configuration mistakes. Kromtech, for instance, offers a free software – S3 Inspector – that can check whether their AWS S3 bucket permissions have been configured so as to prevent access by the public.