A large cache of sensitive medical records handled by a US-based digital records management company was found stored in an Amazon S3 storage bucket without adequate protection.
While conducting their investigation, the researchers noted that the said medical records were stored in a large PDF file which in turn was stored in an Amazon S3 storage bucket. Using a proprietary tool, the researchers were able to obtain the unique URL name associated with the bucket, thereby bypassing AWS' data encryption. Using this technique, they were also able to copy direct links to files and folders that could be accessed via the link.
'The unfortunate part of so many patient records being exposed is that it was likely a human error and not a malicious actor or cyber-criminal,'.
'The repositories contained a wide range of sensitive details about patients that are protected under HIPAA laws. HIPAA violations can carry large financial penalties in the event of willful neglect or purposely leaking patient information online,'