Another customer misconfigured Amazon Web Services (AWS), leading to a major cloud data leak. The latest misstep apparently involves Patient Home Monitoring, which stored more than 300,000 patient blood test results in an Amazon S3 (Simple Storage Service) repository that wasn't properly secured, according to Kromtech Security Center.
Kromtech discovered the apparent leak on September 29, spent a few days tracking down the data's owner, and alerted Patient Home Monitoring on October 5. By October 6, the bucket was secured from public access. But nobody from Patient Home Monitoring replied to Kromtech, the security research says.
If the Kromtech report is accurate, Patient Home Monitoring could be facing HIPAA compliance headaches in the weeks and months to come. HIPAA fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation, according to Compliancy Group, a consulting firm that assists MSPs with their healthcare compliance needs.
Kromtech and several other companies regularly comb AWS for poorly secured customer data. Not by coincidence Kromtech also offers a free tool -- called S3 Inspector -- that allows a company or individual to check AWS bucks for public access. Similarly, CloudCheckr offers a tool called S3Checkr.com to discover AWS buckets that aren't properly secured.
Misconfigured AWS cloud buckets have triggered multiple massive data leaks this year. Additional examples include:
- Accenture Cloud data being left in the open on AWS.
- Verizon suffered two AWS-related leaks, including a Verizon Wireless leak and a second exposure in which 14 million Verizon records were readily accessible.
- Sensitive personal files of thousands of U.S. military and intelligence personnel
- 4 million Time Warner Cable customer records were exposed
- WWE database leak with 3 million customer records
- A Republican database with information on 200 million voters
- Dow Jones suffered a similar AWS exposure
On the one hand, all of the AWS data leaks involve user error and poor configurations rather than Amazon's own security lapses. But on the other hand, the frequency of AWS data leaks suggest that basic user education and/or simplified configuration guidance is seriously needed....