The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Misconfigured AWS S3 Bucket Exposed Sensitive Data of Breast Cancer Patients

Posted By on May 11, 2022

Researchers have identified a misconfigured AWS S3 bucket belonging to the Ardmore, PA-based breast cancer support charity, Breastcancer.org,

The unsecured AWS bucket was identified by SafetyDetectives who discovered hundreds of thousands of files had been exposed over the Internet. The S3 bucket contained detailed exchangeable image file (EXIF) data, over 350,000 files, and more than 300,000 post images. In total, around 150GB of data had been exposed.

The S3 bucket included more than 50,000 registered users’ avatars, many of which were images of registered users. The avatars could be used in conduction with the EXIF data to identify users. The bucket contained nude images of patients, and some of the files included detailed information about users’ medical test results. While contact information for individuals was not exposed, there is potential for abuse of the information.

The exposed S3 bucket was identified by the researchers on November 11, 2021, and could be accessed by anyone over the Internet without the need for authentication. After determining that the data belonged to breastcancer.org, the researchers made contact to raise the alarm about the misconfiguration and held back going public about the exposed data until the S3 bucket was secured. The researchers have been monitoring the bucket and posted about the exposed data on April 28, 2022, the day after the S3 bucket was secured. It is unclear when the misconfiguration occurred and for how long the data had been exposed. The files in the bucket dated back to April 2017, and since many of the files in the bucket were recent, it appears that it was still in use at the time it was discovered.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

“Breastcancer.org recently became aware that an AWS S3 bucket was configured in such a way that non-registered users could theoretically access it. In response, Breastcancer.org engaged a team of third-party experts to investigate this matter. That investigation is ongoing,” said Breastcancer.org in a statement provided to HIPAA Journal. ” In the interim, Breastcancer.org reconfigured the Amazon Web Services (AWS) S3 bucket, removed the metadata associated with all historical and new uploaded images, and implemented pre-signed tokens that allow only the community website (or approved Breastcancer.org staff) to load or download images.”

Exposures of healthcare data such as this only violate HIPAA if the owner of the data is a HIPAA-regulated entity, which breastcancer.org is not.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist