Home Amazon S3 Misconfiguration Exposes 47GB of Medical Data Affecting 150,000 Patients

Amazon S3 Misconfiguration Exposes 47GB of Medical Data Affecting 150,000 Patients

Oct 12, 2017 09:15 CST Updated 09:15

500524099_wx.jpg


According to foreign media outlet SlashGear, in a morning report on October 11 (Beijing time), security research firm Kromtech Security Researchers disclosed that approximately 47 GB of medical data stored by a healthcare service provider on Amazon S3 was inadvertently made publicly accessible, containing 315,363 PDF files.


Kromtech Security Researchers estimate that these files involve at least 150,000 patients. The leaked data includes blood test results and personal information such as names and home addresses, as well as content like physicians’ case management notes.


A significant portion of the patients whose records were included in the leaked PDF files were those undergoing weekly check-ups. Kromtech stated that these data were all associated with a company named Patient Home Monitoring, which regularly conducts blood tests at the homes of patients requiring continuous monitoring on behalf of physicians.


Researchers pointed out that the company’s website features a dedicated privacy page, assuring customers of their “right to know who can access their confidential health information and for what purpose.” Clearly, this data exposure constitutes a serious privacy breach and violates the HIPAA regulations. As required, the company must notify the affected patients.


Kromtech explained that it discovered the incident on September 29 and notified the company on October 5. The researchers stated that the database was closed to the public on October 6, but the company did not provide any further response.


This is yet another recent case of online privacy data breach. For instance, an online translation service recently posted translated texts online, making sensitive information contained therein accessible to the public.


Cybersecurity firm HEIMDAL released the "Mid-2016 Review: Analysis Report on Cybersecurity Threats in 2016," which summarized global cybersecurity incidents from April 2015 to March 2016. Among these, the healthcare industry was the sector most heavily targeted by ransomware worldwide, accounting for 88% of all ransomware statistics in the second quarter.


Trustwave released a 2015 security report on the healthcare industry, revealing that 91% of the 398 surveyed healthcare professionals (including technical staff such as CIOs, CISOs, and IT directors, as well as general medical personnel) believe that cyberattacks targeting the healthcare sector are increasing. However, less than 10% of budgets are allocated to protecting patients’ sensitive information.


Below are the 10 most severe data breaches in the U.S. healthcare industry from 2016 to present:


1. Aesthetic Dentistry and OC Gastrocare Dental Record Breach Incident


According to a May 4 report by DataBreaches.net, the dark web hacking group TheDarkOvrlord (hereinafter referred to as “TDO”) stole and published 180,000 patient medical records through three illegal intrusions. These records include over 3,400 files from Aesthetic Dentistry, a cosmetic dental clinic in the New York area; 34,100 files from OC Gastrocare, a dental care clinic in California; and 142,000 files from the Tampa Bay Surgery Center in the Tampa Bay area of Florida. TDO posted links on its Twitter account to web pages where anyone could download the patient databases.


2. Children's Health Records: Pediatric Medical Record Leak Incident


According to hacker Skyscraper, who disclosed to DataBreaches.net on April 26 that over 500,000 pediatric medical records were available for download on the dark web. These records contained the names, Social Security numbers, phone numbers, and addresses of both children and their parents. While DataBreaches.net did not name the specific institution targeted in the cyberattack, it noted that several other elementary school systems had also been hacked, resulting in the leakage of more than 200,000 student files. However, the number of stolen medical records reported by pediatricians to the Office for Civil Rights at the Department of Health and Human Services was inconsistent with the figures publicly reported. This discrepancy suggests that many healthcare providers remain unaware that patient medical information has been compromised.


Original URL: http://www.healthcareitnews.com/news/hacker-patient-data-500000-children-stolen-pediatricians


3. Lifespan Laishibang Data Breach Incident


Rhode Island’s largest healthcare network, Lifespan, issued a statement announcing that on February 25, an employee’s vehicle was stolen, resulting in the theft of a laptop containing sensitive information from over 20,000 medical records, which may have been compromised. The employee immediately notified the relevant legal authorities and Lifespan management. The company promptly revoked the employee’s access to Lifespan’s information systems.


Original URL: http://www.healthcareitnews.com/news/stolen-laptop-leads-breach-notification-20000-lifespan-patients


4. HealthNow Networks Data Breach Incident


A joint investigation by ZDNet and DataBreaches.net has revealed that the personal health data of more than 918,000 elderly individuals was leaked after a software developer for HealthNow Networks uploaded a database backup to the internet several months ago. HealthNow Networks is a Florida-based telemarketing company primarily engaged in marketing medical supplies to seniors requiring diabetes-related medical devices. However, HealthNow Networks failed to file its annual report with local authorities in 2015, and its business status is no longer listed as legally registered and operational. The aforementioned software developer was contracted to build a customer database for HealthNow Networks but stated that “the workload was simply too overwhelming.”


Original URL: http://www.healthcareitnews.com/news/nearly-1-million-patient-records-leaked-after-telemarketer-blunder


5. ABCD Children’s Pediatrics Data Breach Incident


ABCD Pediatric Clinic in San Antonio: Over 55,000 Patients’ Information Potentially Compromised Following Ransomware AttackThe ABCD Pediatric Clinic in San Antonio has reported that the information of more than 55,000 patients may have been compromised following a ransomware attack. The breached data may include patients’ names, Social Security numbers, insurance billing information, dates of birth, medical records, laboratory test results, surgical procedure codes, and other personal identifiable information. Investigations indicate that the ransomware involved is Dharma, a variant of the Crisis ransomware family. According to the clinic’s official statement, although this type of malware typically does not exfiltrate system data, the clinic cannot completely rule out this possibility.


Original article: http://www.healthcareitnews.com/news/ransomware-attack-texas-pediatric-provider-exposes-data-55000-patients


6. Washington University School of Medicine Data Breach Incident


A University of Washington School of Medicine employee fell victim to a phishing attack on December 2, potentially compromising over 80,000 medical records. The School of Medicine stated that officials did not learn of the incident until seven weeks later, on January 24. According to the employee’s response, he replied to a phishing email disguised as a legitimate request, thereby granting unauthorized hackers access to his email account, which contained relevant patient information.


Original article URL: http://www.healthcareitnews.com/news/phishing-attack-risks-leak-80000-patient-records


7. Metropolitan Urology Group Data Breach Incident


Seattle Metropolitan Urology Group Suffers Ransomware Attack in November, Potentially Compromising Personal Information of Over 17,000 Patients. The U.S. Department of Health and Human Services Office for Civil Rights stated that two servers belonging to the group were infected by malware, potentially exposing patient data from 2003 to 2010, including patients’ names, account numbers, medical institution identification codes, surgical procedure codes, and healthcare service data. Social Security numbers for 5% of the affected patients were compromised.


Original article URL: http://www.healthcareitnews.com/news/ransomware-attack-exposes-data-nearly-18000-metropolitan-urology-patients


8. Denton Heart Group Data Breach Incident


As a member of the HealthTexas Provider Network, Denton Heart Associates reported the theft of an unencrypted hard drive containing seven years of backed-up electronic health record (EHR) data. The compromised backup information includes patients’ names, dates of birth, home addresses, phone numbers, driver’s license numbers, insurance policy details, physicians’ names, clinic account numbers, medical record information, medication records, test results, and other relevant clinical data from 2009 to 2016.


Source URL: http://www.healthcareitnews.com/news/unencrypted-drive-7-years-patient-data-stolen-denton-heart-group


9. Brand New Day Health Insurance Data Breach


Brand New Day Health Plan, a Medicare Advantage plan certified by the U.S. Centers for Medicare & Medicaid Services (CMS), notified 14,000 enrollees in March that their medical information might have been compromised. The breach occurred when unauthorized individuals accessed encrypted electronic protected health information (ePHI) through a third-party vendor’s system. On December 28, the insurer discovered that an unauthorized user had accessed ePHI provided to its HIPAA business associates. According to the company, the unauthorized individual gained access to the relevant information via a vendor system used by a contractor.


Original URL: http://www.healthcareitnews.com/news/vendor-error-exposes-data-more-14000-health-plan-participants


10. Singh and Arora Oncology Hematology Blood Cancer Center Data Breach Incident


In August 2016, the Singh and Arora Hematology-Oncology Center in Michigan suffered a cyberattack. The center subsequently notified 22,000 patients in February that their information might have been compromised. According to local ABC12 news reports, hackers breached servers containing data from February to July 2016. Potentially exposed data included patients’ names, Social Security numbers, home addresses, phone numbers, dates of birth, CPT codes, and insurance information.


Source URL: http://www.healthcareitnews.com/news/michigan-cancer-center-notifies-22000-patients-breach-5-months-after-hack


Reference Content:

A Review of Major U.S. Healthcare Data Breaches in 2017》—— HIMSS 

“Amazon Server Leaks 47GB of Medical Data, Exposing Information of 150,000 Patients” – Sina Technology