[BreachExchange] Medical Records and Sensitive Data of 150, 000 US Patients Exposed

Destry Winant destry at riskbasedsecurity.com
Thu Oct 12 01:10:19 EDT 2017


https://www.hackread.com/medical-records-sensitive-data-of-150000-us-patients-exposed/

It’s Another Day With Yet Another Amazon Web Services (AWS) Bucket
Exposing Sensitive User Data To The Public.

IT security researchers at Kromtech Security discovered an unprotected
Amazon Web Services (AWS) bucket available for public access. The
bucket contained personal and sensitive data of more than 150,000
patients from Patient Home Monitoring (PHM) healthcare firm
(Lafayette, Louisiana, United States) that provides an in-home testing
program.

According to Kromtech Security blog post, the 47.5 GB data contained
patients names, phone numbers, addresses, 316,363 PDF medical records
in the form of weekly blood test results and test results.
Furthermore, the data contained a backup folder for the firm’s
development server and personal details like name of doctors, client
data and case management notes.

The security firm discovered the data on September 29th and alerted
the healthcare authorities on October 5th. Although the bucket is now
secured, the Kromtech Security didn’t get any response from the firm.

Alex Kernishniuk, Kromtech’s VP of Strategic Alliances commented on
the leak and said that “This is yet another wake-up call for companies
who try to bridge the gap between healthcare and technology to make
sure cybersecurity is also a part of their business model,” Alex
Kernishniuk, Kromtech’s VP of Strategic Alliances, said.

“This Amazon repository was misconfigured to be publically available,
and anyone with an internet connection could access these confidential
medical records. Even the most basic security measures would have
prevented this data breach.

“Unfortunately, there are many more databases and cloud storage
repositories waiting to be discovered, and the Kromtech Security
Center is committed to helping to secure and protect data online.”

It was just yesterday when other security researchers from UpGuard
revealed that they found 4 AWS buckets exposed to the public
containing highly sensitive and critical data belonging to one of the
world’s largest corporate consulting and management firms Accenture
and its clients.

The Healthcare industry is already vulnerable to cyber attacks.
Especially after the return of Locky ransomware; pharmaceutical and
medical firms should remain more vigilant and secure their data before
malicious elements can get their hands on it.


More information about the BreachExchange mailing list