Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security

Private Medical Data of Over 1.5 Million People Exposed Through Amazon 106

Gizmodo reports that a wide variety of information about 1.5 million people -- everything from police injury reports, doctor's notes about their patients, and social security numbers -- "all were inexplicably unveiled on a public subdomain of Amazon Web Services. Welcome to the next big data breach horrorshow. Instead of hackers, it's old-fashioned neglect that exposed your most sensitive information." From the article: Tomorrow, [Texas-based researcher Chris Vickers, who discovered the breach] will turn over the data to the the Texas Attorney General, where it will be destroyed. But that doesn’t mean Systema is in the clear. Vickers may not be the only person who downloaded those millions of records as they sat out in the Amazon cloud. We don’t know how long the information was available for everyone to see. But no matter what the timeframe, the neglect could be a HIPAA violation: Systema failed to protect the security of patients’ electronic medical information.
This discussion has been archived. No new comments can be posted.

Private Medical Data of Over 1.5 Million People Exposed Through Amazon

Comments Filter:
  • by Anonymous Coward

    is secure enough to store sensitive personal data....

    • It totally is. You just need to disconnect all the computers that are part of the cloud from the internet.

    • by PTBarnum ( 233319 ) on Sunday September 20, 2015 @01:28AM (#50559789)

      Shockingly, AWS allows you to configure your servers in an insecure manner. Clearly, the cloud must be insecure.

      • by Skapare ( 16644 )

        i have uploaded files to AWS S3. the default permission setting allows anyone to read files if they know (or can guess) the bucket name. S3 users need to be more proactive. they need to lockdown access to their S3 buckets (often used for backups). the defaults can be changed.

        copy_tags_from_spot_request_to_instance.py [amazonaws.com]

      • by Jawnn ( 445279 )

        Shockingly, AWS allows you to configure your servers in an insecure manner. Clearly, the cloud must be insecure.

        Well, at it's essence, "the cloud" means "someone else's servers". This being the case, it should be abundantly clear that there is no magic there. If you use "someone else's servers in an insecure manner, it's not the someone else that is at fault. Even Amazon tacitly admits as much. Ever tried to get them to sign a Business Associate Agreement (a statutory requirement when you let a third party handle records covered by HIPAA regulations)? They will, but only after you've satisfied them that your use of t

        • Shockingly, AWS allows you to configure your servers in an insecure manner. Clearly, the cloud must be insecure.

          Well, at it's essence, "the cloud" means "someone else's servers". This being the case, it should be abundantly clear that there is no magic there. If you use "someone else's servers in an insecure manner, it's not the someone else that is at fault. Even Amazon tacitly admits as much. Ever tried to get them to sign a Business Associate Agreement (a statutory requirement when you let a third party handle records covered by HIPAA regulations)? They will, but only after you've satisfied them that your use of their platform is sufficiently secure. It's a cinch that Systema didn't have a BAA with Amazon. Guess who's going to get fined?

          wouldn't people with a little skepticism at least encrypt their files before uploading them, even with something trivial like zipping them with a password?

  • by Anonymous Coward on Saturday September 19, 2015 @10:40PM (#50559293)

    Should probably be pointed out that this has nothing to do with amazon other than it was their web hosting used.

    • by Etherwalk ( 681268 ) on Saturday September 19, 2015 @10:55PM (#50559355)

      Should probably be pointed out that this has nothing to do with amazon other than it was their web hosting used.

      Amazon is a big name. Amazon is related to the story because it makes more people read the story. It's like if you have a story that Donald Trump's barber is secretly Sweeney Todd. The story becomes Donald Trump.

    • by drolli ( 522659 )

      Definitely as far as I understood some stupid left database dumps on amazon S3 with permissions for the whole world to read.

      In my experience, such idiots actually dont need any cloud computing to make clowns of themself. Usually they even try operate own system and find obscure excuses like "but only our customers know our IP" for insecure settings or "we dont need to update, since only one application is running on the machine".

    • by Anonymous Coward

      Amazons servers have been firewalled by us for some years now.

      They regularly host malware sites, spam site, port scanners, etc.

      Their complain/resolution service is rubbish, we no longer bother informing them.

  • Amazon? (Score:5, Informative)

    by bondsbw ( 888959 ) on Saturday September 19, 2015 @10:41PM (#50559297)

    So Systema is at fault for not securing the data, but the headline pins it on Amazon?

    • Re:Amazon? (Score:5, Insightful)

      by MobileTatsu-NJG ( 946591 ) on Saturday September 19, 2015 @10:58PM (#50559363)

      Bear in mind that Slashdot generates revenue from clicks.

    • Amazon once bit my sister.

      • by Mashiki ( 184564 )

        Amazon once bit my sister.

        Let me guess, she started working there the next day and now puts in 160 hour work weeks.

    • Why not mention Amazon?

      1) Companies have to follow due diligence when handling private medical data.

      2) Companies want to use a cheap cloud computing platform to mine medical data.

      3) Story: Amazon cloud services are not suitable for 1)+2)

      I don't know about you, but I've learned something, and I know what I'll ask my health care provider about how they handle my data.

      • Re:Amazon? (Score:5, Informative)

        by Cyberax ( 705495 ) on Sunday September 20, 2015 @03:34AM (#50560051)
        Actually, Amazon _is_ suitable for medical data. It complies with all the HIPAA regulations and can sign a BAA with an organization willing to use Amazon services for sensitive data ( https://aws.amazon.com/ru/comp... [amazon.com] ).

        Of course, nothing can prevent a clueless operator from putting data on a publicly accessible share.
        • Interesting, but confusing. Why does the Amazon web page you link to state "There is no HIPAA certification for a cloud provider such as AWS."

          Whose responsibility is it to ensure the data is safe? Surely, a "clueless operator" should not be able to put data on a publicly accessible share in the first place, if Amazon complies and is the entity hosting the data?

          I'm curious how the legalities are interpreted to bypass the HIPAA protections in this case.

  • by fermion ( 181285 ) on Saturday September 19, 2015 @10:47PM (#50559317) Homepage Journal
    Unfortunately, Paxton is being prosecuted for being a con man who convinced a number of people to invest under false pretenses. I can imagine that by Monday he will put the data up for sale on the 'Dark Web' to fund his defense and imminent life as a fugitive in an undisclosed tropical locations.
  • Jail, bankruptcy? (Score:5, Insightful)

    by whoever57 ( 658626 ) on Saturday September 19, 2015 @11:15PM (#50559421) Journal

    So someone is going to jail for this and the company will soon be bankrupt, right?

    Oh wait, none of this will happen, because the government is controlled by corporations. Just like the GM story where the cover-up led to people dying. No one will ever serve any time for killing people in this manner.

    • by AmiMoJo ( 196126 )

      We need really harsh penalties for companies that use this data. None of them will do it openly, but you can bet insurance providers and employers are accessing it (through multiple third party reports, to insulate themselves legally).

  • This didn't really happen - I looked at thei the AWS website, and they tell us it's secure.

    Sounds legit.

  • by AmazingRuss ( 555076 ) on Sunday September 20, 2015 @12:22AM (#50559609)

    "Tomorrow, Vickery will turn over the data to the the Texas Attorney General, where it will be destroyed. "

    See? They're going to destroy it!

    • by Anonymous Coward

      How can this possibly be "Might be a HIPPA violation?"

      It is precisely what HIPPA was created to protect against.

      • How can this possibly be "Might be a HIPPA violation?"

        It is precisely what HIPPA was created to protect against.

        I'm not remotely a lawyer but I can offer an opinion. It's the whole "spirit of the law" versus "letter of the law" deal, I would assume.

        For an analogy - that's the main reason Constitutional law can get so complex. Otherwise language like "shall make no law" and "shall not be infringed" isn't difficult to understand. No I don't think the authors of that document intended for physical papers to enjoy certain protections but not computers, cellphones, and other future replacements for paper not known t

      • by AK Marc ( 707885 )
        Not even remotely. HIPAA was about "portability" before "accountability". Last I looked, there had been fines levied for not releasing medical records, but not a single one for releasing them inappropriately. The consultants all lied about the law to drive up their business, and medical practices are conservative about risk, so everyone thought about it as a "security" law, but it was more about access and portability for one's own records, and the penalties for leaks were not the reason or primary goal
  • Why does plain text still exist? Or put it another way, why is anyone who has data they must protect able to put such data into a program that will export, import or otherwise be accessed by an external system *without* an encryption key?

    I know it's a stupid question, but being able to just dump a database to text is just totally wrong, no? Nobody seems to be phased by SSL over HTTP, after all. Excel, Outlook, Oracle, MySQL, etc. - stop the madness!

    • by godrik ( 1287354 )

      Well, I am not sure what they were doing with that data. But if you are going to make any kind of multi pass analysis on it, you probably don't want to pay the runtime cost of encryption/decryption. Also, if your system has any kind of external connectivity, it is typically for authorized querying of the data, so the system certainly needs a way to decrypt it.

      • by gilgongo ( 57446 )

        Well yes, runtime costs of encryption might be an issue, but that's sort of what I meant when I said nobody seems to be phased by SSL and how that works with trusted keys, etc. In short, why can't all data (like medical records) be encrypted inside systems that are incapable of exporting the plain text and can't be accessed by anything that doesn't have the cryptographic ability to do so?

        Obviously, and attacker could steal the keys and write an application that read that data and then exported it as plain t

    • by AK Marc ( 707885 )

      Why does plain text still exist?

      Because searching an encrypted database for "gilgongo" isn't trivial. And when passing "gilgongo" to middleware over unencrypted XML, how do you encrypt the individual fields? Because if you send encrypted XML (IPSEC or such) then you'd send the fields inside unencrypted, so the dB on both ends would be unencrypted, or import/export unencrypted.

      Makes a mess for migrations and support.

  • Fuck all these people. They need to be held accountable. This should be a capitol offense. That would put a chill into all these so called "programmers", who are really nothing more than glorified mop masters.
  • At least the guy isn't being criminally held liable for bringing this to everyone's attention.
  • So Amazon, or whomever, lets 1.5 million personal medical records get into the wild. Will there be Congressional investigations considering this is substantially more than what happened to the IRS?

    Where were the investigations about Target and its breach of 40 MILLION credit and debit card numbers?

    Or is this simply another example of private industry doing it better than government?

Trap full -- please empty.

Working...