Massive Trove of Medical Records Potentially Exposed
On December 5th we received a message from Matt Svensson (independent security researcher with whom we investigated the latest Ashley Madison private pictures authentication issue). He shared with us the results of his stunning S3 environment analysis and pointed out a large PDF file storage left unprotected .
Upon closer look at the data in an attempt to identify the owner of files, we came to the conclusion that these were sensitive medical records and appeared to belong to a US-based digital records management company (the “Company”).
Thanks to Dissent Doe, our long-time collaborator on the medical-related leaks, we've been able to alert the Company and within the responsible disclosure process they quickly disabled the public access to the data.
Access to the data was achieved through a proprietary tool that deciphers unique URL names associated with public buckets within Amazons S3 environment. Once that direct access is achieved, a user can bypass AWS data encryption and copy direct links to files and folders that can then be accessed via the link.
Upon notification, the Company immediately remedied the setting that allowed for this type of access. It has completed the notification process of clients whose files were exposed. The Companys investigation did not reveal evidence that anyone other than our researchers had accessed the S3 bucket. As part of its validation process, Kromtech downloaded several hundred files which we subsequently destroyed.
The unfortunate part of so many patient records being exposed is that it was likely a human error and not a malicious actor or cyber criminal. The repositories contained a wide range of sensitive details about patients that are protected under HIPAA laws. HIPAA violations can carry large financial penalties in the event of willful neglect or purposely leaking patient information online.
We at Kromtech Security Center already pointed out the danger of publicly accessible Amazon S3 buckets and released a Sample tool that can help Amazon S3 users quickly check their S3 buckets for public access and provide an extra layer of security so that users can be confident that their data is well-protected and is not accessible or being downloaded by unauthorised users.
It is not often that we receive an adequate response from an affected entity, but in this case we want to recognize the Companys exemplary way of handling the situation and not to follow 'shoot-the-messenger' tactics which we have seen in some of the incidents this year. The following statement was received on behalf of the Company:
“Robust security is vital to our operations. We appreciate the work of the white-hat security researchers at Kromtech Security Center, who identified the vulnerability and notified us. Their information allowed us to address the issue within minutes of notification and bring this single buckets security in line to protect the privacy of records in our database and quickly notify affected clients.