Medical records covering the nature and results of weekly blood tests for 150,000 Americans have been exposed to the public, thanks to yet another company misconfiguring its Amazon S3 repository.
Kromtech Security Center researchers discovered the easily accessible cache of 47.5 GB of data, which consists of 316,363 PDF reports; each patient had weekly test results totaling about 20 files each. Far from anonymous, each file is named after the patient and includes the dates of testing, home addresses, phone numbers and details on the tests themselves—clearly a jackpot for a criminal bent on spear phishing or medical scams. Even doctors’ names and case management notes are included.
Kromtech said in a blog that the database appears to be connected to a patient home monitoring company that conducted the weekly blood clot medication testing via patient self-test kits—offered as an alternative to patients having to visit a lab or doctor’s office.