Unsecured Amazon S3 Bucket Exposed 47GB of Medical Records

Recently, there was an incident that a HIPAA-covered entity used an unsecured Amazon S3 bucket to store patients’ medical data. It was the researchers from Kromtech Security who discovered the cloud storage security problem. There were 47.5 GB of PDF files stored that contain the medical records of about 150,000 patients having weekly blood tests. The collected medical information includes blood test results, names of doctors, and case management notes. Data files also show the name, address and contact number of the patients.

According to Kromtech researchers, there’s no set password to access these 316,000 PDF files. Anyone who knows the URL of the files and has internet connection can get access to them. It is not known when the Amazon S3 bucket became unsecured or if there were unauthorized file views or downloads. On September 29, Kromtech discovered the unsecured Amazon S3 bucket. They located the company who manages the data on October 5 and sent them a notification. The following day, all data were secured and no longer accessible to the public.

Cloud storage is a cost-effective and convenient alternative to storing ePHI for healthcare organizations provided the cloud platform is HIPAA-compliant. The issuance of a business associate agreement is also necessary though not a guarantee of security.

It is the responsibility of the healthcare organization to strictly implement controls that would prevent access of  medical data by unauthorized individuals. Making a mistake on safeguarding the patients’ PHI can have serious consequences including financial penalties from OCR and state attorneys general. Furthermore, the patients whose PHI have been exposed may file lawsuits to seek coverage of the damages and potential risks of harm.

No system is foolproof and mistakes can inevitably happen. So, healthcare organizations need to make sure that their files are always secure when using Amazon S3 buckets. A regular check for configuration errors can go a long way in ensuring ePHI confidentiality and integrity. There is a free software tool offered by Kromtech that can help check if the AWS S3 bucket permissions have the correct configuration to prevent public access. If you need this software, ask Kromtech about S3 Inspector.

About Christine Garcia 1312 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA