HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Systema Software Data Breach: 1.5M+ Medical Records Accessible via AWS

systema-logoInsurance claim data and other highly sensitive information were inadvertently posted on Amazon Web Services after an error was made by a contractor of Systema Software; a Business Associate of a number of HIPAA-covered health insurance providers. Systema Software was responsible for processing claims for a number of U.S insurance companies.

The data exposed in the Systema Software data breach included Social Security numbers, insurance claim information, drug test results, details of medical services provided – and dates of treatment – billing amounts and unique payment and claimant ID numbers. Personal information was also exposed which ties the records to specific individuals. The data also included details of claims that had been approved and rejected by insurance companies, as well as details of how those insurance carriers were expecting to defend certain claims.

The data breach was discovered by tech enthusiast Chris Vickery, who became aware that system dump data was occasionally posted to the cloud via Amazon Web Services. Upon investigation Vickery discovered a huge volume of data that included highly confidential medical records, claim data and even police reports on individuals.

After downloading some of the data, Vickery alerted databreaches.net to the security breach and contacted the companies whose data was included in the files. According to a report posted on the website, Vickery said “There were a minimum of 1.5 million individuals who had personal details exposed, probably 1 million SSNs, more than 5 million financial transactions detailed, over 1000 entities that had data exposed, and hundreds of thousands of injury reports. Not all entities are necessarily clients of the software firm.”

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

One of the affected clients, which appears to have had its entire database posted online, is the Kansas State Self Insurance Fund. Data from its SIMS database was accessible via AWS, which included the Social Security numbers, names, addresses, and telephone numbers of over a million Kansas residents. A CSAC Excess Insurance Authority (CSAC-EIA) database was also accessible. That database allegedly contained over 570,000 records, which included Social Security numbers, dates of birth, and contact information, in addition to 4.7 million notepad entries and 3 million payment entries dating back to 1987. An unprotected Salt Lake County database was also downloadable via AWS.

According to Vickery, the data included “Tons of financial transaction data. Bank accounts with routing numbers, check numbers, amounts, dates… and not everyone is a client. Any person or company that got paid-out is at least mentioned.”

The Systema Software data breach is not the work of hackers, but appears to have resulted from human error. Systema Software has not explained how the data came to be posted on AWS, although the COO of the software company, Danny Smith, did reply to Vickery’s breach notification via email. He said, “I wanted to let you know that we’ve contacted all of our clients at this point and made them aware of the situation. Again, we’re grateful that it was you who found this exposure and that your intentions are good.”

Vickery also spoke with Smith on the telephone and was allegedly advised that the data were accidentally made available online after a contractor made a mistake. Smith sought confirmation from Vickery that the data he downloaded had been secured, and said “Our clients are looking for confirmation that you have not shared their data with anyone else, will not share it, and will delete it.” Vickery said that this was the case and only he had viewed the information. Vickery confirmed he is receiving assistance from the Texas Attorney General to make sure that all traces of the data are securely and permanently deleted from his computer.

There were fears that Vickery was not the only person to have downloaded the data, as any number of individuals could potentially have accessed the information via AWS. Fortunately, this does not appear to be the case.

After the Kansas Department of Health and Environment (KDHE) was notified of the Systema Software data breach, it conducted an investigation and determined that the files were no longer accessible online, and reported that only one individual had downloaded the data (Vickery). A statement was issued by KDHE saying “We have worked with our contractor to determine what information was available and to whom it was available. We are confident that all identities remain safe and confidential.”

However, Vickery confirmed to HIPAA Journal that “another affected entity was informed, by Systema, that absolutely no logs existed for that Amazon bucket.” If no logs existed, then there is no way of telling how many individuals managed to download the data bucket before it was secured.

As a Business Associate of a number of HIPAA-covered entities, Systema Software is likely to be investigated for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). Systema Software is obliged to implement safeguards to prevent the exposure of confidential data, which under the Omnibus Rule, includes taking steps to prevent its contractors from exposing any data provided to them.

At present, Systema is conducting a thorough investigation into the security breach and will be taking a number of stems to ensure that all data held is appropriately protected in the future. Once the investigation has been completed, the company will be able to determine what, if any, remediation measures will be necessary. If it is not possible to determine how many individuals have accessed the data, and whether any information has been downloaded, HIPAA regulations demand that breach notification letters are sent to all affected individuals. Due to the highly sensitive nature of the data exposed, remediation measures will need to reflect the level of identity theft risk that each of those individuals now faces.

Post updated: 10:44AM, 21/9/2015 to reflect new information received by HIPAAJournal

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.