Misconfigured AWS S3 Bucket Exposed Sensitive Data of Breast Cancer Patients

By | May 11, 2022

Researchers have identified a misconfigured AWS S3 bucket belonging to the Ardmore, PA-based breast cancer support charity, Breastcancer.org, that has been leaking sensitive data.

The unsecured AWS bucket was identified by SafetyDetectives who discovered hundreds of thousands of files had been exposed over the Internet. The S3 bucket contained detailed exchangeable image file (EXIF) data, over 350,000 files, and more than 300,000 post images. In total, around 150GB of data had been exposed.

The S3 bucket included more than 50,000 registered users’ avatars, many of which were images of registered users. The avatars could be used in conduction with the EXIF data to identify users. The bucket contained nude images of patients, and some of the files included detailed information about users’ medical test results. While contact information for individuals was not exposed, there is potential for abuse of the information.

The exposed S3 bucket was identified by the researchers on November 11, 2021, and could be accessed by anyone over the Internet without the need for authentication. After determining that the data belonged to breastcancer.org, the researchers made contact to raise the alarm about the misconfiguration and held back going public about the exposed data until the S3 bucket was secured. The researchers have been monitoring the bucket and posted about the exposed data on April 28, 2022, the day after the S3 bucket was secured. It is unclear when the misconfiguration occurred and for how long the data had been exposed. The files in the bucket dated back to April 2017, and since many of the files in the bucket were recent, it appears that it was still in use at the time it was discovered.

Breastcancer.org has issued a statement confirming an investigation has been launched into the incident, and steps have been taken to protect the privacy of users, including temporarily removing the ability to view and upload images. Individuals affected have been notified about the data exposure by email.

Exposures of healthcare data such as this only violate HIPAA if the owner of the data is a HIPAA-regulated entity. In this case, the Federal Trade Commission (FTC) could investigate and has the power to impose significant financial penalties.

The post Misconfigured AWS S3 Bucket Exposed Sensitive Data of Breast Cancer Patients appeared first on HIPAA Journal.