Neglect from companies managing data has exposed sensitive information. Police injury reports, drug tests, detailed doctor visit notes and social security numbers were all unveiled on a public subdomain of Amazon Web Services.
Tech enthusiast Chris Vickery was aware of strange data dumps that could turn up on Amazon’s cloud computing platform. He started combing through the data dumps and in early September made a significant discovery.
He found an enormous data breach that had left the private medical information of millions of Americans sitting in the open online.
Vickery downloaded the data and immediately realized what it was. At that point he started contacting the organizations impact including Kansas’ State Self Insurance Fund, CSAC Excess Insurance Authority, and the Salt Lake County Database.
The data came from a small company, Systema Software, that manages insurance claims. At the moment it isn’t clear how the data ended up on the site, but the company confirmed to Vickery that it happened.
Shortly after Vickery contacted the affected organizations, the database disappeared from the Amazon subdomain. On September 14, Systema Software emailed Vickery to thank him for his benevolence in reporting his finding. The email also requested confirmation that Vickery had not shared the data with anyone else, would not share it and would delete it.
Vickery will be turning over the data to the Texas Attorney General, where it will be destroyed. However it is unclear if anyone else downloaded the millions of records as they sat out in the Amazon cloud.
Experts do not know how long the information was available for everyone to see. However no matter what the timeframe was, the neglect could be a HIPAA violation. Systema failed to protect the security of patients’ electronic medical information.
This should be a wake-up call for companies storing electronical medical records. Bad security hygiene has the potential to be just as damaging as malicious hackers.
