The Daily Swig Web security digest

Misconfigured AWS bucket results in mass clinical data exposure

James Walker | 10 October 2017 at 12:00

Medical records of 150,000 patients laid bare on unprotected server.

Researchers at security software group Kromtech have discovered a publically accessible Amazon S3 repository containing the medical data of an estimated 150,000 patients.

According to the researchers, the exposed AWS server was connected to Patient Home Monitoring Corporation (PHMC), a Louisiana-based healthcare business that provides in-home monitoring.

The 47.5 GB of reports contained weekly blood test results of around 150,000 US residents. They also included patients’ names, addresses, and phone numbers, along with physician’s names and case notes.

“This Amazon repository was misconfigured to be publically available and anyone with an internet connection could access these confidential medical records,” said Alex Kernishniuk, vice president of strategic alliances at Kromtech.

With revenues of $33.5 million in the second quarter, PHMC provides and rents in-home monitoring equipment aimed at improving clinical patient outcomes and removing the need for weekly office visits.

Kromtech notified the company of the unsecured bucket on October 5, and the data was secured from public access the following day.

“This is yet another wake-up call for companies who try to bridge the gap between healthcare and technology to make sure cybersecurity is also a part of their business model,” Kernishniuk said.