Thousands of Patients' Data Has Been Breached Thanks to Misconfigured Amazon S3 Buckets
Unfortunately, incidents where large and small companies leave vast amounts of personal data exposed to the internet because of poorly configured databases and servers are an everyday occurrence. Last month, for example, researchers from UpGuard and DataBreaches.net independently found two misconfigured Amazon S3 buckets that collectively exposed more than 300 thousand files containing all sorts of healthcare records. Although the two teams didn't coordinate their work, and although the buckets were discovered using different methods, it soon became apparent that the data belonged to the same company – Medico, Inc.
More than 90GB of personal and business data was left out in the open
Predictably, a lot of details related to unsuspecting patients' medical conditions were exposed in the buckets. There were digitized exam and treatment notes, scanned prescriptions, and a host of other healthcare-related documents. This, on its own, sounds pretty bad. It is, unfortunately, only the beginning.
In addition to people's medical records, Medico also left quite a lot of spreadsheets pertaining to its and its partners' business in the misconfigured buckets. UpGuard's experts didn't go into too many details about the sensitivity of the data, but they did note that it "might be damaging to the company or their customers".
There was quite a lot of insurance data as well, with Explanation of Benefits (EOB) documents making up a large portion of the exposed information. In addition to personal and contact details, these papers reveal medical and treatment histories which could cause victims quite a lot of trouble if abused. In some cases, the EOBs also revealed financial details, including credit card numbers and CVVs. To complete the picture, Medico's badly configured buckets also contained subpoenas and requests for medical records which included yet more sensitive data like social security numbers.
Last but not least, some of Medico's internal login credentials and communication were leaked, and they give us a worryingly clear insight into how the company treats the matter of data security.
The misconfigured S3 buckets revealed some of Medico's less-than-perfect data security practices
In addition to all the healthcare, personal, and business data, the offending S3 buckets also stored some spreadsheets that held login credentials to portions of Medico's backend infrastructure. Although this could very well be the fastest, if not the most convenient way of giving all employees access to the important passwords, we have mentioned in the past that leaving this sort of data in plain text is never a good idea. You can now see why.
It must be said that the spreadsheets in question were protected by a password which, in theory at least, would have prevented anyone who found the files from opening them. Unfortunately, Medico employees were also emailing each other the passwords that opened the spreadsheets, and the company's IT department designed its system to automatically back up all internal communication to the same S3 buckets. In other words, the passwords that were supposed to be protecting the spreadsheets were stored in the same place as the spreadsheets themselves. They were available in plain text and were accessible from anywhere in the world.
Both GuardUp and DataBreaches.net said that Medico fixed the configuration errors shortly after getting notified about them. Given the sensitive nature of the exposed data, a quick reaction was essential, and Medico deserves a pat on the back for securing the buckets as soon as they heard about the leak.
That being said, this shouldn't be an excuse for storing passwords in Microsoft Office documents which are hosted in the cloud. It shouldn't be an excuse for making configuration mistakes that are all too common, either.