Sensitive Data of Breast Cancer Patients Compromised Because of Misconfiguration in AWS S3 Bucket

Researchers found out that a misconfigured AWS S3 bucket is exposing information. This cloud storage is owned by Breastcancer.org, a breast cancer support charity located in Ardmore, PA.

SafetyDetectives learned that the unsecured AWS bucket has disclosed thousands of files on the internet. The S3 bucket comprised comprehensive exchangeable image file (EXIF) information, over 350,000 files, and more than 300,000 post images. Altogether, roughly 150GB of information was affected.

The S3 bucket comprised around 50,000 avatars of signed-up users, many of which were pictures of registered people. The avatars may be used along with the EXIF files to differentiate users. The bucket had nude images of patients, and some of the files had complete information about users’ medical test information. Even if the contact information of users was not affected, it’s possible for the data to be misused.

The researchers identified the affected S3 bucket last November 11, 2021. Any person on the internet could access the bucket without requiring any authentication. Upon knowledge that the leaked data was from breastcancer.org, the researchers got in touch with the organization to notify them about the misconfiguration. Breastcancer.org did not go public with regards to the breached data until it has secured the S3 bucket. The researchers continued monitoring the bucket and shared about the breached data on April 28, 2022, one day after securing the S3 bucket. It is not known when the problem occurred or how long the data was leaked. The data in the bucket had been there since April 2017, and considering that many of the files in the S3 bucket were fairly new, apparently, it was still in use at the time it was discovered.

Breastcancer.org made a statement about the investigation of the breach and the implementation of measures to keep the privacy of users safe. Hence, the function to access and upload images is temporarily deactivated. People affected by the incident got informed about the data compromise via email.

The exposure of healthcare data such as this is considered a violation of HIPAA if the owner of the data is a HIPAA-covered entity. Therefore, the Federal Trade Commission (FTC) can look into this incident and can impose substantial financial fines.

About Christine Garcia 1191 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA