HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Misconfigured AWS S3 Bucket Exposed Sensitive Data of Breast Cancer Patients

Researchers have identified a misconfigured AWS S3 bucket belonging to the Ardmore, PA-based breast cancer support charity, Breastcancer.org,

The unsecured AWS bucket was identified by SafetyDetectives who discovered hundreds of thousands of files had been exposed over the Internet. The S3 bucket contained detailed exchangeable image file (EXIF) data, over 350,000 files, and more than 300,000 post images. In total, around 150GB of data had been exposed.

The S3 bucket included more than 50,000 registered users’ avatars, many of which were images of registered users. The avatars could be used in conduction with the EXIF data to identify users. The bucket contained nude images of patients, and some of the files included detailed information about users’ medical test results. While contact information for individuals was not exposed, there is potential for abuse of the information.

The exposed S3 bucket was identified by the researchers on November 11, 2021, and could be accessed by anyone over the Internet without the need for authentication. After determining that the data belonged to breastcancer.org, the researchers made contact to raise the alarm about the misconfiguration and held back going public about the exposed data until the S3 bucket was secured. The researchers have been monitoring the bucket and posted about the exposed data on April 28, 2022, the day after the S3 bucket was secured. It is unclear when the misconfiguration occurred and for how long the data had been exposed. The files in the bucket dated back to April 2017, and since many of the files in the bucket were recent, it appears that it was still in use at the time it was discovered.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

“Breastcancer.org recently became aware that an AWS S3 bucket was configured in such a way that non-registered users could theoretically access it. In response, Breastcancer.org engaged a team of third-party experts to investigate this matter. That investigation is ongoing,” said Breastcancer.org in a statement provided to HIPAA Journal. ” In the interim, Breastcancer.org reconfigured the Amazon Web Services (AWS) S3 bucket, removed the metadata associated with all historical and new uploaded images, and implemented pre-signed tokens that allow only the community website (or approved Breastcancer.org staff) to load or download images.”

Exposures of healthcare data such as this only violate HIPAA if the owner of the data is a HIPAA-regulated entity, which breastcancer.org is not.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.