Misconfigured Amazon Cloud Servers Lead To Yet Another Healthcare Breach
By: Jim Stickley and Tina Davis
January 15, 2020
Nearly 90,000 patients had their private healthcare data exposed in a breach involving two misconfigured Amazon Web Server (AWS) cloud servers. The patient data kept in the AWS for Medico, Inc. and Amarin Pharma was publicly exposed in the breach. That information unveiled a massive amount of PHI (Protected Health Information), including Social Security numbers, passwords, banking, and insurance information, legal documents and medication history. That’s enough PHI to make you ill.
The two breaches involving Amazon’s Simple Storage Service (S3) are just some of the latest reported by those using S3 data storage. Another improperly configured AWS server using S3 cloud storage was responsible for leaking data from TD Bank, Netflix, and Ford companies. Healthcare companies are known for the incredibly sensitive data they collect and for the ongoing responsibility for the health of their patients. It’s no wonder hacker’s put a bullseye on healthcare data many years ago. Knowing an ongoing S3 security problem resulted in tens of millions of breached data records being accidentally released doesn’t help victims feel any better.
UpGuard researchers looking into the data breaches found they were due to misconfigured settings. The researchers learned not only are the S3 buckets vulnerable to public disclosure through security settings, but those responsible for choosing the settings lacked the knowledge to protect their data. Researchers believe poor operation processes at these healthcare organizations led to them underestimating the risk of data exposure. This led to incorrect security settings for their S3 data. Regardless of who’s to blame, the researchers write about the victims “…the consequences of exposure are the same: a breach of trust, a violation of privacy, and problems brought on by the very act of seeking and receiving help.”
Amazon recently released a new feature for S3 account holders allowing them to set default security for their data. But there are security steps those in IT and others in charge of securing sensitive data should take as well. For the many companies breached using S3, public data exposure could have been avoided by choosing the correct option.
- External-facing systems need to be properly configured to ensure data isn’t publicly exposed: know what the options are.
- Proper system configuration goes a long way keeping sensitive data and other vulnerabilities in check.
- Always apply security patches as soon as they are released. These patches often fix security flaws including those inadvertently leading to data exposure and malicious infections.
Consumers know incompetence is never an excuse for having their information exposed, accidentally or otherwise.