Police injury reports, drug tests, detailed doctor visit notes, social security numbers — all were inexplicably unveiled on a public subdomain of Amazon Web Services. Welcome to the next big data breach horrorshow. Instead of hackers, it’s old-fashioned neglect that exposed your most sensitive information.
Texas tech enthusiast Chris Vickery had heard strange data dumps could turn up on Amazon’s cloud computing platform, so he started combing through. In early September, he found an enormous data breach that left the private medical information of millions of Americans sitting in the open online.
“It just kind of fell into my lap,” he told Gizmodo.
After Vickery downloaded the data and realised what it was, he started contacting the organisations impacted. Among those exposed: Kansas’ State Self Insurance Fund, CSAC Excess Insurance Authority, and the Salt Lake County Database.
Redacted files from the breach
The data came from Systema Software, a small company that manages insurance claims. It still isn’t clear how the data ended up on the site, but the company did confirm to Vickery that it happened.
Shortly after Vickery made contact with the affected organisations, the database disappeared from the Amazon subdomain. On September 14, Systema Software COO Danny Smith emailed Vickery to say:
I wanted to let you know that we’ve contacted all of our clients at this point and made them aware of the situation. Again, we’re grateful that it was you who found this exposure and that your intentions are good.
Our clients are looking for confirmation that you have not shared their data with anyone else, will not share it, and will delete it.
Vickery claims that when he spoke with Smith, the COO told him the data was left visible due to a contractor’s mistake.
Tomorrow, Vickery will turn over the data to the the Texas Attorney General, where it will be destroyed. But that doesn’t mean Systema is in the clear. Vickers may not be the only person who downloaded those millions of records as they sat out in the Amazon cloud.
We don’t know how long the information was available for everyone to see. But no matter what the timeframe, the neglect is a clear HIPPA violation: Systema failed to protect the security of patients’ electronic medical information.
While Systema may have gotten lucky this time, the gravity of this type of neglect shouldn’t be ignored. Yes, maybe no bad actors saw it. But a company entrusted with some of the most personal records of millions of people somehow managed to bungle safeguarding it to such a degree that a random dude found it online.
This should be a wakeup foghorn for companies storing electronic medical records. Bad security hygiene has the potential to be just as damaging as malicious hackers.