{
	"id": "eddeaa4e-662a-412b-88ac-e093ea7955b0",
	"created_at": "2026-04-06T00:18:20.157261Z",
	"updated_at": "2026-04-10T03:21:09.83675Z",
	"deleted_at": null,
	"sha1_hash": "678404f0f523bb42c1fd5c99758be40943f18fd3",
	"title": "47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66073,
	"plain_text": "47GB of Medical Records and Test Results Found in Unsecured\r\nAmazon S3 Bucket\r\nBy Steve Alder\r\nPublished: 2017-10-11 · Archived: 2026-04-05 17:46:03 UTC\r\nPosted By on Oct 11, 2017\r\nResearchers at Kromtech Security have identified another unsecured Amazon S3 bucket used by a HIPAA-covered entity. The unsecured Amazon S3 bucket contained 47.5GB of medical data relating to an estimated\r\n150,000 patients.\r\nThe medical data in the files included blood test results, physician’s names, case management notes, and the\r\npersonal information of patients, including their names, addresses, and contact telephone numbers. The\r\nresearchers said many of the stored documents were PDF files, containing information on multiple patients that\r\nwere having weekly blood tests performed.\r\nIn total, approximately 316,000 PDF files were freely accessible. The tests had been performed in patient’s homes,\r\nas requested by physicians, by Patient Home Monitoring Corporation. Kromtech researchers said the data could be\r\naccessed without a password. Anyone with an Internet connection, who knew where to look, could have accessed\r\nall 316,000 files. Whether any unauthorized individuals viewed or downloaded the files is not known. The\r\nresearchers were also unable to tell how long the Amazon S3 bucket had remained unsecured.\r\nThe unsecured Amazon S3 bucket was found by Kromtech researchers on September 29. It took some time to\r\nidentify the company concerned and find contact details. They were located on October 5 and a notification was\r\nsent. While no response was forthcoming, by the following day, all data were secured and files could no longer be\r\naccessed online without authentication.\r\nGet The FREE\r\nHIPAA Compliance Checklist\r\nImmediate Delivery of Checklist Link To Your Email Address\r\nPlease Enter Correct Email Address\r\nYour Privacy Respected\r\nhttps://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/\r\nPage 1 of 2\n\nHIPAA Journal Privacy Policy\r\nThe cloud offers healthcare organizations cost-effective and convenient data storage. Provided HIPAA-compliant\r\ncloud platforms are used and a business associate agreement is obtained prior to the cloud being used to store\r\nePHI, HIPAA permits the use of the cloud. However, having a BAA does not guarantee HIPAA compliance. The\r\nactions of users can still result in HIPAA violations and the exposure of sensitive data.\r\nThe failure to implement controls to prevent cloud-stored data from being accessed by unauthorized individuals is\r\nan easy mistake to make, but one that can have serious consequences, not only for the patients whose PHI has\r\nbeen exposed but also for the covered entity or business associate.\r\nThe failure to implement safeguards to ensure the confidentiality, integrity, and availability of ePHI can result in\r\nsevere financial penalties from OCR and state attorneys general. A data breach can also result in lawsuits from\r\npatients seeking damages to cover the lifelong risk of harm from the exposure of their PHI.\r\nMistakes are inevitable, and oftentimes those mistakes will result in PHI being exposed, but in the case of\r\nunsecured Amazon S3 buckets, it is also easy to check for configuration errors. Kromtech, for example, offers a\r\nfree software tool – S3 Inspector – that can be used by healthcare organizations to check whether their AWS S3\r\nbucket permissions have been configured correctly to prevent access by the public.\r\nAuthor: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy\r\nregarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory\r\naffairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a\r\ndeep understanding of regulatory issues surrounding the use of information technology in the healthcare industry\r\nand has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA\r\nJournal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the\r\nhealthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA\r\nunder Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal\r\naccuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the\r\nUniversity of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com\r\nSource: https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/\r\nhttps://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/"
	],
	"report_names": [
		"47gb-medical-records-unsecured-amazon-s3-bucket"
	],
	"threat_actors": [],
	"ts_created_at": 1775434700,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/678404f0f523bb42c1fd5c99758be40943f18fd3.pdf",
		"text": "https://archive.orkl.eu/678404f0f523bb42c1fd5c99758be40943f18fd3.txt",
		"img": "https://archive.orkl.eu/678404f0f523bb42c1fd5c99758be40943f18fd3.jpg"
	}
}