Researchers discovered that a misconfigured AWS S3 bucket is leaking data. This cloud storage belongs to a breast cancer support charity based in Ardmore, PA, Breastcancer.org.
SafetyDetectives discovered that the unsecured AWS bucket has exposed hundreds of thousands of files online. The S3 bucket contained detailed exchangeable image file (EXIF) data, more than 350,000 files, and over 300,000 post graphics. Altogether, approximately 150GB of data was compromised.
The S3 bucket contained over 50,000 avatars of registered users, a lot of which were photos of signed-up users. The avatars can be employed together with the EXIF files to distinguish users. The bucket comprised naked photos of patients, and a few of the files contained detailed data regarding users’ health test data. Although contact details of people were not compromised, there is a possibility of misuse of the data.
The researchers discovered the compromised S3 bucket on November 11, 2021, which anyone online could access without needing any authentication. After identifying that the information belonged to breastcancer.org, the researchers contacted the owner to alert them regarding the misconfiguration. Breastcancer.org pulled back from going public concerning the compromised information until the S3 bucket was protected. The researchers were keeping track of the bucket and posted about the compromised information on April 28, 2022, a day after the S3 bucket got secured. It is uncertain when the misconfiguration happened and the length of time the information was exposed. The files in the bucket were from way back in April 2017, and because a lot of the files in the S3 bucket were new, it seems that it was still being used when it was identified.
Breastcancer.org has given an announcement launching an investigation of the incident and taking steps to safeguard the privacy of end-users, which include temporarily taking away the function to view and upload photos. People impacted by the breach were informed concerning the data exposure through email.
Compromise of healthcare information like this only breaks HIPAA when the owner of the information is a HIPAA-regulated entity. So, the Federal Trade Commission (FTC) can investigate this case and can enforce sizeable financial penalties.