Analecta Cyber Company Blog: Error Exposes 1.5 Million People's Private Medical Records on Amazon Web Services

2015-09-30

Error Exposes 1.5 Million People's Private Medical Records on Amazon Web Services

Several large-scale data breaches have been uncovered within the past couple of years. They usually involve hackers trying to access various data for their personal benefit. But that wasn’t the case this time. A wide variety of information for approximately 1.5 million people was strangely exposed on a public subdomain of Amazon Web Services. This includes details from police injury reports, patients’ notes from their doctors, Social Security numbers and other bits of information. Instead of a cyber hack, the sensitive information was exposed due to the third party contractor’s negligence.
A Texas-based researcher in early September discovered the massive data breach online that revealed private medical information available online for anyone to download. After realizing what it was, the researcher immediately contacted the organizations impacted such as Kansas’ State Self Insurance Fund, CSAC Excess Insurance Authority and the Salt Lake County Database.



Investigation finds limited exposure

Investigations confirmed that the data came from Systema Software, a small company that manages insurance claims. Though it is still unclear how the data ended up on the site, the company confirmed that it happened. The researcher will turn over the data to the Texas Attorney General, where it will be destroyed. But that doesn’t mean Systema will not be liable for the breach considering they failed to protect the security of patients’ electronic medical information.

The database is was no longer available from the Amazon subdomain shortly after the affected organizations were informed. Systema Software COO stated that the company has already contacted all of its clients involved in the incident. The Kansas Department of Health and Environment, one of the affected organizations, confirmed that it appears no other individual gained access to the data aside from the researcher. And they are confident enough that all identities remained safe and classified even after the incident. This information was backed up by Systema. They substantiate that based on their initial review, no indications of any data theft have been found, and the company immediately launched security measure including a comprehensive internal review to identify the scope of the event. They are also working closely with state and federal authorities as well as a leading forensic IT firm to continuously take appropriate steps in safeguarding the valuable information and enhance the company’s data security policies.

Even if no indications of any data theft was found, the company’s negligence shouldn’t be ignored. Companies entrusted with some of the most personal records of millions of people should be responsible enough in safeguarding the information handed over to them. This incident should serve as a warning to those companies storing electronic medical records that their negligence may cause damages even greater than malicious hackers could create.