An Amazon S3 repository left publicly accessible has leaked about 47GB of medical data, the sum total of which includes 315,363 PDF files. The discovery was made by Kromtech Security Researchers, who estimated the medical documents pertain to at least 150,000 patients. Among the leaked data are blood test results, personal info such as patient name and home addresses, plus information on the doctors and their case management notes.
A large portion of the leaked PDF documents are described as being multiple reports on patients who appeared to be undergoing weekly testing. Kromtech says the documents are associated with the company ‘Patient Home Monitoring,’ which appears to be performing regular in-home blood tests on behalf of doctors who had prescribed a medication requiring frequent monitoring.
The researchers note that this company’s website has a privacy page which promises customers that they ‘have the right to know who has accessed your confidential healthcare information and for what purposes.’ Obviously a database left exposed to the public represents a huge privacy breach, one violating HIPAA, among other things, and that would require affected individuals to be notified under the HIPAA Breach Notification Rule.
Kromtech explains that it identified the vulnerability on September 29, and that after searching for an appropriate contact email, it notified the company of the issue on October 5. The researchers say that the database was secured away from public access by the next day, October 6, but that no response of any kind was given.
This is the latest of a growing number of privacy violations that leave sensitive documents readily available to the public via the Internet. Recently, for example, an online translation service was found making copies of translated texts available plainly online for anyone to find. These exposed documents included sensitive info like business contracts, and led to some governments and companies blocking access to the service.
SOURCE: MacKeeper Security