More than 316,000 patient blood tests exposed in breach linked to home monitoring company

Cybersecurity
A misconfigured "bucket" on Amazon Web Services exposed detailed medical records for more than 150,000 patients.

Medical information, including blood test results associated with more than 150,000 people that used an in-home testing service, were leaked after an Amazon-hosted cloud repository was misconfigured to allow public access, according to a cybersecurity firm.

The vulnerability was discovered by Kromtech Security Researchers on Friday, Sept. 29. The company reported their findings in a blog post on Tuesday and linked the database to Patient Home Monitoring, which offers a variety of monitoring services to manage respiratory diseases, sleep apnea and blood testing for patients on anticoagulants like Coumadin.

RELATED: Healthcare data breaches haven’t slowed down in 2017, and insiders are mostly to blame

Analysts discovered more than 316,000 PDF reports with detailed patient information including weekly blood test results, names, phone numbers and addresses. The company estimated the documents were linked to more than 150,000 people and included doctors’ notes.

Patient Home Monitoring provides at-home INR blood testing, which is used to measure the time it takes for a patient’s blood to clot. The test monitors patients that are taking anticoagulants to ensure they are receiving the appropriate dosage of warfarin without going to a clinic.

Bob Diachenko, chief security communications officer at Kromtech Security, told FierceHealthcare the repository hosted on Amazon Web Services was misconfigured in a way that anyone that knew the name of the “bucket” could access and download the data.

“In this case (as in many others we reported) we randomly guessed the name of this bucket,” he said in an email, adding that AWS buckets are set to private mode by default, requiring an administrator to manually reconfigure it to allow public access.

RELATED: Faster breach discovery may be linked to a growing number of hacking incidents

Patient Home Monitoring did not immediately respond to a request for comment. Diachenko noted that the bucket is no longer public and researchers are unable to determine whether anyone accessed the files, since access logs are available to administrators only.

The company’s privacy policy notes that patients “have a right to be notified by the company if there is a breach of your unsecured confidential health information.”

Companies that maintain or store protected health information are required to notify victims of a data breach within 60 days of discovery. If the breach involves more than 500 individuals, covered entities are required to notify the Department of Health and Human Services.