A medical Q&A service provider is facing questions about its security processes after a cloud misconfiguration appeared to leak sensitive images of thousands of patients, including infants.
A team at Safety Detectives traced the exposed Amazon S3 bucket back to Japanese firm Doctors Me. It was apparently left open with no authentication controls in place.
Alongside other services, Doctors Me enables users to upload images of medical conditions for diagnosis by clinicians anonymously.
However, the cloud storage misconfiguration left 300,000 files at the mercy of potential malicious actors. The 30GB trove featured over 12,000 unique images, including the faces and private areas of children and infants, according to Safety Detectives.
If bad actors could identify users by cross-checking images with social media and other platforms, it could put them at risk of blackmail, the researchers argued.
“Criminals could potentially identify Doctors Me customers and any other dependents who have their face or unique identifiable characteristics (i.e. unique tattoos) pictured on the bucket. Hackers could also identify users if one of their medical pictures was uploaded to multiple other platforms,” it said.
“An exposed person could feel embarrassed and anxious about their medical condition, and could face ridicule and reputational damage should others find out. In some cases, exposing sensitive medical data can ultimately affect someone’s personal relationships, dating life, and job opportunities.”
It’s not clear if the live bucket was secured following its discovery. Safety Detectives said it contacted Doctors Me and the Japanese CERT on November 21 2021. It followed up with the CERT again a week later and AWS, and again in December and January 2022.
The last contact published in the report was a CERT response on January 11 this year, informing the research team that it had contacted AWS.