Content, Governance, Risk and Compliance, Breach

Amazon AWS Cloud Data Leak: 150,000 Patient Home Monitoring Identities

Share
Credit: Pixabay

Another customer misconfigured Amazon Web Services (AWS), leading to a major cloud data leak. The latest misstep apparently involves Patient Home Monitoring, which stored more than 300,000 patient blood test results in an Amazon S3 (Simple Storage Service) repository that wasn't properly secured, according to Kromtech Security Center.

Kromtech discovered the apparent leak on September 29, spent a few days tracking down the data's owner, and alerted Patient Home Monitoring on October 5. By October 6, the bucket was  secured from public access. But nobody from Patient Home Monitoring replied to Kromtech, the security research says.

If the Kromtech report is accurate, Patient Home Monitoring could be facing HIPAA compliance headaches in the weeks and months to come. HIPAA fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation, according to Compliancy Group, a consulting firm that assists MSPs with their healthcare compliance needs.

Kromtech and several other companies regularly comb AWS for poorly secured customer data. Not by coincidence Kromtech also offers a free tool -- called S3 Inspector -- that allows a company or individual to check AWS bucks for public access. Similarly, CloudCheckr offers a tool called S3Checkr.com to discover AWS buckets that aren't properly secured.

Misconfigured AWS cloud buckets have triggered multiple massive data leaks this year. Additional examples include:

On the one hand, all of the AWS data leaks involve user error and poor configurations rather than Amazon's own security lapses. But on the other hand, the frequency of AWS data leaks suggest that basic user education and/or simplified configuration guidance is seriously needed....

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.