47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket

Researchers at Kromtech Security have identified another unsecured Amazon S3 bucket used by a HIPAA-covered entity. The unsecured Amazon S3 bucket contained 47.5GB of medical data relating to an estimated 150,000 patients.

The medical data in the files included blood test results, physician’s names, case management notes, and the personal information of patients, including their names, addresses, and contact telephone numbers. The researchers said many of the stored documents were PDF files, containing information on multiple patients that were having weekly blood tests performed.

In total, approximately 316,000 PDF files were freely accessible. The tests had been performed in patient’s homes, as requested by physicians, by Patient Home Monitoring Corporation. Kromtech researchers said the data could be accessed without a password. Anyone with an Internet connection, that knew where to look, could have accessed all 316,000 files. Whether any unauthorized individuals viewed or downloaded the files is not known. The researchers were also unable to tell how long the Amazon S3 bucket had remained unsecured.

The unsecured Amazon S3 bucket was found by Kromtech researchers on September 29. It took some time to identify the company concerned and find contact details. They were located on October 5 and a notification was sent. While no response was forthcoming, by the following day, all data were secured and files could no longer be accessed online without authentication.

The cloud offers healthcare organizations cost effective and convenient data storage. Provided HIPAA-compliant cloud platforms are used and a business associate agreement is obtained prior to the cloud being used to store ePHI, HIPAA permits use of the cloud. However, having a BAA does not guarantee HIPAA compliance. The actions of users can still result in HIPAA violations and the exposure of sensitive data.

The failure to implement controls to prevent cloud-stored data from being accessed by unauthorized individuals is an easy mistake to make, but one that can have serious consequences, not only for the patients whose PHI has been exposed, but also for the covered entity or business associate.

The failure to implement safeguards to ensure the confidentiality, integrity, and availability of ePHI can result in severe financial penalties from OCR and state attorneys general. A data breach can also result in lawsuits from patients seeking damages to cover the lifelong risk of harm from the exposure of their PHI.

Mistakes are inevitable, and oftentimes those mistakes will result in PHI being exposed, but in the case of unsecured Amazon S3 buckets, it is also easy to check for configuration errors. Kromtech, for example, offers a free software tool – S3 Inspector – that can be used by healthcare organizations to check whether their AWS S3 bucket permissions have been configured correctly to prevent access by the public.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.