Medical records covering the nature and results of weekly blood tests for 150,000 Americans have been exposed to the public, thanks to yet another company misconfiguring its Amazon S3 repository.
Kromtech Security Center researchers discovered the easily accessible cache of 47.5 GB of data, which consists of 316,363 PDF reports; each patient had weekly test results totaling about 20 files each. Far from anonymous, each file is named after the patient and includes the dates of testing, home addresses, phone numbers and details on the tests themselves—clearly a jackpot for a criminal bent on spear phishing or medical scams. Even doctors’ names and case management notes are included.
Kromtech said in a blog that the database appears to be connected to a patient home monitoring company (appropriately named Patient Home Monitoring, or PHM) that conducted the weekly blood clot medication testing via patient self-test kits—offered as an alternative to patients having to visit a lab or doctor’s office. Researchers said the company made the database private a day after Kromtech notified it of the issue, though there was no note or comment back to the security firm. The monitoring company is now required by law to notify affected patients thanks to the HIPAA Breach Notification Rule.
“This is yet another wake-up call for companies who try to bridge the gap between healthcare and technology to make sure cybersecurity is also a part of their business model,” said Alex Kernishniuk, vice president of strategic alliances at Kromtech. “Even the most basic security measures would have prevented this data breach. Unfortunately, there are many more databases and cloud storage repositories waiting to be discovered.”
There has been an epidemic of misconfigured Amazon S3 buckets of late—largely because although they can be easily switched from private to public access, public is the default.
“The speed with which organizations are moving to AWS and cloud infrastructure, it is only natural to miss something,” said Josh Mayfield, platform specialist, Immediate Insight at FireMon, via email. He added that cyber-criminals are becoming increasingly fluent with the cloud.
“There is increased data staging within cloud infrastructures prior to exfiltration,” he explained. “That means the cyber-criminal makes headway in the on-prem network, but needs a place to hold the data prior to the final theft. By moving data to a cloud instances that has regular data exchange with on-prem assets, the cyber-criminal can hide the growing amount of data going into the cloud infrastructure. After all, that’s a regular occurrence—no alert triggered.”
Then, when you take into account the regular openness of S3, theft becomes even easier.
“Imagine a commercial mover putting your furniture into a moving van,” Mayfield explained. “No shock here, that seems like normal asset movement. But then, an accomplice walks up to the fully loaded van, key in the ignition, and drives away. This is not a perfect analogy, but it gets very close to the data staging and exfiltration that happens with cloud infrastructure.”