Police injury reports, drug tests, detailed doctor visit notes, social security numbers—all were inexplicably unveiled on a public subdomain of Amazon Web Services. Welcome to the next big data breach horrorshow. Instead of hackers, it’s old-fashioned neglect from companies managing data that exposed your most sensitive information.
Texas tech enthusiast Chris Vickery had heard strange data dumps could turn up on Amazon’s cloud computing platform, so he started combing through. In early September, he found an enormous data breach that left the private medical information of millions of Americans sitting in the open online.
“It just kind of fell into my lap,” he told Gizmodo.
After Vickery downloaded the data and realized what it was, he started contacting the organizations impacted. Among those exposed: Kansas’ State Self Insurance Fund, CSAC Excess Insurance Authority, and the Salt Lake County Database.
Redacted files from the breach
The data came from Systema Software, a small company that manages insurance claims. It still isn’t clear how the data ended up on the site, but the company did confirm to Vickery that it happened.
Shortly after Vickery made contact with the affected organizations, the database disappeared from the Amazon subdomain. On September 14, Systema Software COO Danny Smith emailed Vickery to say:
I wanted to let you know that we’ve contacted all of our clients at this point and made them aware of the situation. Again, we’re grateful that it was you who found this exposure and that your intentions are good.
Our clients are looking for confirmation that you have not shared their data with anyone else, will not share it, and will delete it.
Vickery claims that when he spoke with Smith, the COO told him the data was left visible due to a contractor’s mistake. We have reached out for comment to Systema, and other companies affected by the breach, and will update as we know more.
Tomorrow, Vickery will turn over the data to the the Texas Attorney General, where it will be destroyed. But that doesn’t mean Systema is in the clear. Vickers may not be the only person who downloaded those millions of records as they sat out in the Amazon cloud.
We don’t know how long the information was available for everyone to see. But no matter what the timeframe, the neglect could be a HIPAA violation: Systema failed to protect the security of patients’ electronic medical information.
While Systema may have gotten lucky this time, the gravity of this type of neglect shouldn’t be ignored. Yes, maybe no bad actors saw it. But a company entrusted with some of the most personal records of millions of people somehow managed to bungle safeguarding it to such a degree that a random dude found it online.
This should be a wakeup foghorn for companies storing electronic medical records. Bad security hygiene has the potential to be just as damaging as malicious hackers.
Update 10:56 am: We received confirmation from one of the affected organizations, the Kansas Department of Health and Environment. The good news is that it appears Vickery was the only person who gained access to the data. The organization issued this statement to us:
On September 9 the Kansas Department of Health and Environment (KDHE) was notified that a file containing information related to state employees’ worker’s compensation information (commonly referred to as the state self-insurance fund) had been discovered online. We have worked with our contractor to determine what information was available and to whom it was available. We are confident that all identities remain safe and confidential. During this process, we found that the file was downloaded by only one individual—the person who notified KDHE of this issue. Once KDHE was notified, we immediately went to the website where this file was discovered and the file was no longer accessible. We have been assured that this file has not been distributed further, and that it will not be used or distributed in the future. KDHE continues to work with our contractor to ensure similar instances do not occur going forward.
Update 2:27: We’ve got confirmation from a Systema spokesperson, who told us:
Systema Software recently became aware that a single individual gained unapproved access into our data storage system containing data belonging to certain Systema clients. In addition to communicating with Systema, this individual also self-reported this discovery to the proper authorities and impacted clients and is in the process of working with the Texas Attorney General to securely wipe all data from his hard drive. While our investigation is still ongoing, it is important to note that, based on our initial review, we have no indication that any data has been used inappropriately. However, out of an abundance of caution, upon learning of this issue, we took immediate action including:
· Launching a comprehensive internal review to identify the scope of the event and necessary remediation measures
· Notifying impacted organizations
· Working closely with state and federal authorities as well as a leading forensic IT firm
The privacy and security of our clients’ information remains our top priority, and we will continue to take the appropriate steps needed to safeguard their information and enhance our data security policies.
Update 4:09 pm: I asked Systema if it denied Vickery’s estimate that 1.5 million people were affected by the breach, and representative gave this statement: “As is common with similar events, until the investigation is completed, it will be difficult to confirm the full scope of the incident, but we will continue to work vigilantly to address this issue and will provide updates as we learn more from our review.”