Another Exploit: S3 Bucket Leads to Breach of 50k Patient Records

2 mins to read

A privacy advocate at Comparitech reported on the discovery of over 50,000 records stored on two publicly accessible AWS S3 buckets without password protection or authentication – an all too common, and often devastating, cloud security misconfiguration.

Comparitech discovered the exposed buckets on February 22, 2021. The two exploited S3 buckets were already indexed by a search engine one month prior, on January 25. After alerting the security team at AWS on February 24, researcher Bob Diachenko, who made the discovery, received a response from AWS that they would notify the bucket owners. After further investigation, Bob identified Premier Diagnostics as the owners and reached out to them the following day.

After an investigation, it is unclear how long the exploited S3 bucket was public before Premier Diagnostics came forward as the owner and took steps to secure the buckets on March 1, 2021. At that point, the damage was already done.

Premier Diagnostics primarily serves Utah individuals, clinics, schools, and businesses. It provides drive-through testing facilities for patients and has administered hundreds of thousands of COVID-19 tests. Premier Diagnostics’ is a heavily regulated company because of the sensitive data that it processes. The company’s crown-jewel data includes medical insurance information, patient information, private test sample IDs, among other PII, and sensitive information. One of the exposed buckets, titled patient-images, contained more than 200,000 images. Each patient had four files uploaded – front and back images of medical insurance and ID cards (including driver’s licenses and passports). The second bucket, named paper-recordscontained names, dates of birth, and test sample IDs. The loss of this crown jewel data is quite significant not just in volume but also in terms of its highly sensitive nature.

In total, approximately 52,000 patient records, including PII, were left exposed from this all too common cloud misconfiguration. This common misconfiguration mistake sometimes stems from a lack of understanding of the Shared Responsibility Model between AWS and its customers. And it’s the most prevalent cloud security issue. Oftentimes, this misconfiguration is caused by human error or a lack of cloud security education within your dev and cloud teams. Education on how to secure your cloud environment is important to protecting your crown-jewel data.

When it comes to exploited S3 buckets, you should always have them configured properly and your cloud should be continuously monitored for any cloud drift. This means setting up alerts that go to the right team at the right time when there is a violation of a control policy. Implementing a cloud security prevention solution to catch configuration errors before they become an issue, and using a remediation for when mistakes happen. In addition to education and the right cloud security tools, it is necessary that each team understands the AWS Shared Responsibility model and where their responsibility lies.

In recent headlines, we have read about countless organizations that have made the mistake of leaving an exposed AWS S3 bucket open to the Internet. This S3 misconfiguration can be prevented and our technical experts can help explain steps you can take today to prevent this error from happening to your organization. 

Read more about the Premier Diagnostics data breach on Comparitech’s blog.