Misconfigured AWS S3 Bucket Exposed Sensitive Data of Breast Cancer Patients

Share this article on:

Researchers have identified a misconfigured AWS S3 bucket belonging to the Ardmore, PA-based breast cancer support charity, Breastcancer.org,

The unsecured AWS bucket was identified by SafetyDetectives who discovered hundreds of thousands of files had been exposed over the Internet. The S3 bucket contained detailed exchangeable image file (EXIF) data, over 350,000 files, and more than 300,000 post images. In total, around 150GB of data had been exposed.

The S3 bucket included more than 50,000 registered users’ avatars, many of which were images of registered users. The avatars could be used in conduction with the EXIF data to identify users. The bucket contained nude images of patients, and some of the files included detailed information about users’ medical test results. While contact information for individuals was not exposed, there is potential for abuse of the information.

The exposed S3 bucket was identified by the researchers on November 11, 2021, and could be accessed by anyone over the Internet without the need for authentication. After determining that the data belonged to breastcancer.org, the researchers made contact to raise the alarm about the misconfiguration and held back going public about the exposed data until the S3 bucket was secured. The researchers have been monitoring the bucket and posted about the exposed data on April 28, 2022, the day after the S3 bucket was secured. It is unclear when the misconfiguration occurred and for how long the data had been exposed. The files in the bucket dated back to April 2017, and since many of the files in the bucket were recent, it appears that it was still in use at the time it was discovered.

“Breastcancer.org recently became aware that an AWS S3 bucket was configured in such a way that non-registered users could theoretically access it. In response, Breastcancer.org engaged a team of third-party experts to investigate this matter. That investigation is ongoing,” said Breastcancer.org in a statement provided to HIPAA Journal. ” In the interim, Breastcancer.org reconfigured the Amazon Web Services (AWS) S3 bucket, removed the metadata associated with all historical and new uploaded images, and implemented pre-signed tokens that allow only the community website (or approved Breastcancer.org staff) to load or download images.”

Exposures of healthcare data such as this only violate HIPAA if the owner of the data is a HIPAA-regulated entity, which breastcancer.org is not.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On