Kromtech Security Discovers PHI of 150,000 Patients Freely Available Online

Researchers at Kromtech Security, a security software company, have identified Amazon S3 bucket used by a HIPAA-covered entity. Amazon S3 buckets are a type of cloud storage for the Internet. The unsecured Amazon S3 bucket contained 47.5 GB of medical data relating to an estimated 150,000 patients. It is not the first unsecured Amazon S3 bucket that the company has found. 

A huge variety of medical data was stored in the bucket, included blood test results, physician’s names, case management notes, and the personal information of patients, including their names, addresses, and contact telephone numbers. Researchers at Kromtech Security said many of the stored documents were PDF files, containing information on multiple patients that were having weekly blood tests performed.

Kromtech Security estimates that 316,000 PDF files were available on the Amazon S3 bucket, without any need for authentication to access them.  The tests had been performed in patient’s homes, as requested by physicians, by Patient Home Monitoring Corporation. Anybody who was searching for the files only needed an Internet connection to find the protected health information (PHI) of 150,000 patients. However, despite the ease at which the files could be accessed, the researchers were unable to ascertain if anyone had actually accessed the files before they found them. The researchers were also unable to tell how long the Amazon S3 bucket had remained unsecured.

The unsecured Amazon S3 bucket first identified on September 29 2017. The researchers had some difficulty identifying the company to whom the files belonged, but were eventually able to contact them on October 5. While no response was forthcoming, by the following day, all data were secured and files could no longer be accessed online without authentication.

While the cloud offers healthcare organizations cost effective and convenient data storage, it should be used with precaution. Organisations must be careful to use HIPAA-compliant cloud platforms, and HIPAA covered entities must ensure a business associate agreement is obtained prior to the cloud being used to store ePHI. However, it should be noted that having a BAA does not guarantee HIPAA compliance. Improper use of HIPAA-compliant cloud services may result in HIPAA violations from occurring.The failure to implement controls to prevent cloud-stored data from being accessed by unauthorized individuals is a common way in which employees may accidentally violate HIPAA.

Hefty consequences may be levied against organisations for their failure to implement safeguards to ensure the confidentiality, integrity, and availability of ePHI. If the infractions are particularly sever, they can result in financial penalties from OCR and state attorneys general. A data breach can also result in lawsuits from patients seeking damages to cover the lifelong risk of harm from the exposure of their PHI.

There are many tools available to companies which may be used to ensure that they are using data storage services-such as Amazon S3 buckets-in compliance with HIPAA regulations. Kromtech, for example, offers a free software tool – S3 Inspector – that can be used by healthcare organizations to check whether their AWS S3 bucket permissions have been configured correctly to prevent access by the public.