HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Unsecured Amazon S3 Buckets Contained ID Card Scans of 52,000 Individuals

Premier Diagnostics, a Utah-based COVID-19 testing service, has inadvertently exposed the protected health information of tens of thousands of individuals.

Two Exposed Amazon S3 buckets were discovered by Bob Diachenko of Comparitech on February 22, 2021. It was not initially clear who owned the data, which related to patients from Utah, Nevada, and Colorado. The S3 buckets were eventually traced to Premier Diagnostics.

The S3 buckets contained two databases, one of which included around 200,000 images of scans of ID cards such as driver’s licenses, passports, state ID cards, medical insurance cards, and other IDs documents. The databases had been indexed by search engines and could be accessed over the Internet without a password.

Premier Diagnostics was determined to be the probable owner of the data on February 25, 2020 and attempts were made to contact the company. Contact was finally made on March 1, 2021 and the databases were secured the same day.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

It is unclear whether the databases were found and downloaded by any individuals other then Diachenko in the week or more that the databases were accessible over the Internet. Premier Diagnostics confirmed to Comparitech that each individual had four scans: Two scans of a health insurance card and two scans of an ID document, so the IDs and insurance information of approximately 52,000 individuals were exposed. The ID cards included an individual’s name, age, address, gender, ID number, and their photo.

The second exposed Amazon S3 bucket contained a database that included the names, dates of birth, and test sample IDs from individuals who underwent a COVID-19 test, although the database did not include the test result. “Each of the 3,645 items in the bucket is a scanned table with dozens of patients,” explained Comparitech.

Nefilim Ransomware Gang Publishes Data Stolen from Atlanta Allergy & Asthma

Databreaches.net has reported Atlanta Allergy & Asthma in Georgia is one of the latest victims of the Nefilim ransomware gang, which recently published sensitive data on its dark web leak site that was stolen prior to the encryption of files. A 1.3 GB compressed archive was uploaded to the leak site that contained 597 files containing 2.5 GB of data.

The dumped data is a sample of an alleged 19GB of data stolen in the attack, with the Nefilim actors threatening to publish the remaining data if the ransom is not paid. The published data includes billing documents and patient audits that include highly sensitive personal, medical, and insurance information.

The HHS’ Office for Civil Rights website indicates 9,851 individuals have been affected by the breach.

Ransomware Gang Demanded $1.75 Million Payment from Allergy Partners of Western North Carolina

The Federal Bureau of Investigation (FBI) is investigating a February 23, 2021 ransomware attack on Allergy Partners of Western North Carolina that took its IT systems out of action for several days. As a result of the attack, the allergy center was unable to provide allergy shots to patients at its offices in Asheville and Arden. Normal services for patients resumed on March 1 at most of its locations.

According to a report filed with the police department, the attackers demand a ransom payment of $1.75 million for the keys to decrypt files.  Its IT department has been working round the clock to restore files and systems and third-party cybersecurity firms have been engaged to investigate the breach and determine if patient information was accessed or obtained by the attackers.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.