Contractor Mistakenly Publishes 1.5 Million Confidential Patient Records on Amazon Web Services
Government (U.S.) // Healthcare and Public Health
A tech enthusiast, who had heard strange data dumps could turn up on the cloud computing platform, started combing through and, in early September, found the assemblage.
Human error left the private medical information of millions of Americans sitting open on the World Wide Web. The data included police injury reports, drug tests, detailed doctor visit notes, and Social Security numbers, among other items.
After Chris Vickery, the techie, downloaded the data and realized what it was, he started contacting the organizations impacted. Among those affected: Kansas’ State Self Insurance Fund, CSAC Excess Insurance Authority, and the Salt Lake County Database.
Shortly after Vickery reached the victim organizations, the database disappeared from the Amazon cloud subdomain.
It turns out Systema Software, a small company that handles insurance claims, was managing the data.
On Sept. 14, Systema Software COO Danny Smith emailed Vickery to say:
I wanted to let you know that we’ve contacted all of our clients at this point and made them aware of the situation. Again, we’re grateful that it was you who found this exposure and that your intentions are good.
Our clients are looking for confirmation that you have not shared their data with anyone else, will not share it, and will delete it.
Vickery claims the COO told him the data was left visible due to a contractor’s mistake.
Vickery will turn over the data to the Texas Attorney General, where it will be destroyed.
A Systema official told Gizmodo:
Systema Software recently became aware that a single individual gained unapproved access into our data storage system containing data belonging to certain Systema clients. In addition to communicating with Systema, this individual also self-reported this discovery to the proper authorities and impacted clients and is in the process of working with the Texas Attorney General to securely wipe all data from his hard drive. While our investigation is still ongoing, it is important to note that, based on our initial review, we have no indication that any data has been used inappropriately.