[BreachExchange] After Breach, Mental Healthcare Provider Sues Amazon

Wed Mar 31 11:00:59 EDT 2021

https://www.databreachtoday.com/after-breach-mental-healthcare-provider-sues-amazon-a-16278

A Florida-based mental healthcare provider is taking legal steps to
help ensure that sensitive patient data that apparently was
exfiltrated from its systems and stored in Amazon Web Service buckets
is protected from further exposure.

Fort Myers-based SalusCare Inc. says an unknown attacker exfiltrated a
database containing "thousands" of its patient and employee files,
including sensitive psychiatric and addiction records and Social
Security numbers. That data now resides in two AWS buckets, the
organization says.

In a lawsuit, SalusCare asked a federal court to order AWS to provide
it with “a complete copy of the contents of the cloud-based AWS
buckets along with complete audit logs of all transfers of information
into and out of the AWS buckets, and thereafter permanently purge all
contents of the AWS buckets.”

SalusCare also asked the court to order "John Doe," the unknown
hacker, to turn over data stored in the buckets and take the same
steps requested of AWS.

Meanwhile, on Thursday, a Florida federal court issued a temporary
restraining order preventing AWS from allowing anyone to access the
contents of two buckets that SalusCare alleges contain the stolen
data.

A second temporary restraining order states: "John Doe, its officers,
agents, servants, and employees and any persons in active concert or
participation with them are temporarily restrained and enjoined from
directly or indirectly accessing, transferring, disclosing, or dealing
with any data stolen from SalusCare."

The restraining orders remain in effect until April 8.

SalusCare contends that without the temporary restraining order, the
hacker is likely to access the stolen information and sell it.
"Because of the nature of the stolen data, its unauthorized disclosure
is likely to cause irreparable harm to the privacy, health, credit and
finances of SalusCare’s patients and employees," the organization's
court filing notes.

"John Doe will likely sell the stolen information on the 'dark web'
where it will likely be used to promote identity theft and possible
online disclosure - any of which would cause substantial, imminent and
irreparable harm to [SalusCare]," the lawsuit states.

The Security Incident

SalusCare says that on March 16, one of its computer technicians
responded to reports of a computer slowdown and discovered through
audit logs that SalusCare’s server had been hacked and a database
copied by an attacker.

The server was protected by passwords given only to SalusCare’s
employees, the organization states in its lawsuit.

“SalusCare’s audit logs showed that the hacker’s 'code' originated in
Ukraine, and that the servers were copied to two of Amazon’s virtual
storage 'buckets' identified as s3://saluscare and s3://saulscare,"
the lawsuit notes. “SalusCare has no business in Ukraine and is
unaware of any legitimate, non-fraudulent explanation for such an
exfiltration of data."

The stolen database contains thousands of SalusCare’s electronically
stored patient and employee files, the lawsuit states.

SalusCare's court filing doesn't provide further details about the
hacking incident.

Crime Risk

Before filing the lawsuit, SalusCare’s lawyers engaged in substantive
communication with attorneys in Amazon’s general counsel office, the
lawsuit states.

"Amazon told SalusCare that it suspended the hacker’s access to the
data. But Amazon did not promise to maintain the suspension, and said
that without a temporary restraining order or injunction, it could
lift the suspension without notice to SalusCare," the lawsuit notes.

Besides seeking the injunctions, the lawsuit seeks damages and alleges
John Doe committed violations of the Computer Fraud and Abuse Act and
the Computer Abuse and Recovery Act.

Neither SalusCare nor AWS immediately responded to Information
Security Media Group's requests for comment.

Right Moves?

Technology attorney Steven Teppler of the law firm Mandelbaum Salsburg
P.C. says he think thecourt's injunctions should become permanent
"Those injunctions are proper against John Doe but is a bit thinner
against Amazon," he says. Still, the injunction against AWS "imposes
an obligation on Amazon to make sure that it minimizes the potential
for exfiltration of patient PHI through Amazon mishandling – meaning
that Amazon needs to take care that this information stays in the
barn."

What's most significant about the injunctions is that they require
that both the unnamed hacker and the cloud provider take measures to
protect SalusCare's information from further exfiltration, he says.
This "now places a burden on Amazon, as well."