Sonrai Security website logo for identity and data governance and cloud security

Another S3 Bucket Leads to Breach of 50k Patient Records

Author: Kelly Speiser | Date: March 15, 2021
Read Time: 2 minutes
Skill Level: Technical
Skill Level: Technical
S3 Buckets and AWS

A privacy advocate at Comparitech reported on the discovery of over 50,000 records stored on two publicly accessible AWS S3 buckets without password protection or authentication - an all too common, and often devastating, cloud security misconfiguration.

Comparitech discovered the exposed buckets on February 22, 2021. The two S3 buckets were already indexed by a search engine one month prior, on January 25. After alerting the security team at AWS on February 24, researcher Bob Diachenko, who made the discovery, received a response from AWS that they would notify the bucket owners. After further investigation, Bob identified Premier Diagnostics as the owners and reached out to them the following day.

After an investigation, it is unclear how long the S3 buckets were public before Premier Diagnostics came forward as the owner and took steps to secure the buckets on March 1, 2021. At that point the damage was already done.

Premier Diagnostics primarily serves Utah individuals, clinics, schools, and businesses. It provides drive-through testing facilities for patients and has administered hundreds of thousands of COVID-19 tests. Premier Diagnostics’ is a heavily regulated company because of the sensitive data that it processes. The company’s crown-jewel data  includes medical insurance information, patient information, private test sample IDs, among other PII, and sensitive information. One of the exposed buckets, titled patient-images, contained more than 200,000 images. Each patient had four files uploaded – front and back images of medical insurance and ID cards (including driver’s licenses and passports). The second bucket, named paper-records, contained names, dates of birth, and test sample IDs. The loss of this crown jewel data is quite significant not just in volume but also in terms of its highly sensitive nature.

In total, approximately 52,000 patient records, including PII, were left exposed from this all too common cloud misconfiguration. This common misconfiguration mistake sometimes stems from a lack of understanding of the Shared Responsibility Model between AWS and its customers. And it’s the most prevalent cloud security issue. Oftentimes, this misconfiguration is caused by human error or a lack of cloud security education within your dev and cloud teams. Education on how to secure your cloud environment is important to protecting your crown-jewel data.

When it comes to S3 buckets, you should always have them configured properly and your cloud should be continuously monitored for any cloud drift. This means setting up alerts that go to the right team at the right time when there is a violation of a control policy. Implementing a cloud security prevention solution to catch configuration errors before they become an issue, and using a remediation for when mistakes happen. In addition to education and the right cloud security tools, it is necessary that each team understands the AWS Shared Responsibility model and where their responsibility lies.

In recent headlines, we have read about countless organizations that have made the mistake of leaving an exposed AWS S3 bucket open to the Internet. This S3 misconfiguration can be prevented and our technical experts can help explain steps you can take today to prevent this error from happening to your organization. 

Read more about the Premier Diagnostics data breach on Comparitech’s blog

You Might Also Like

AWS S3 Security Best Practices

This March Amazon Web Services (AWS) Simple Storage Service, more commonly known as S3, officially turns 15 ye[...]

Read More

AWS Checklist: Expert Advice on Security & Risk Priorities

Key takeaways from our recent webinar on AWS security  As we discussed in a recent webinar on AWS security [...]

Read More

AWS IAM Breakdown… and common mistakes!

Let me just start with this statement… EVERYTHING in AWS (Amazon Web Services) is related to an AWS Identity and Acce[...]

Read More