Systema Leaves Insurance Claims Data In The Cloud – Unprotected

Databreaches is reporting that someone discovered a large amount of data on a public segment of Amazon Web Services.  This person, described as a technology enthusiast (i.e. a geek) downloaded some of this data and discovered it contained medical claims data.

The repository, which supposedly contained gigabytes of data was later identified to belong to Systema Software.  Systema is a vendor of claims processing software and offers cloud services to host the claims data.

In the data which was publicly available on Amazon, were insurance claims forms, address books with over a million names, addresses and social security numbers, birth dates, financial information and claims information.

Also included in the repository was a database with 3 million payment records and another database with 4.7 million notepad entries.  Still other databases include bank account information.

At least some of the records were workers compensation claims from Kansas and Utah.

The geek who found this reported it to the entities who’s data he found such as the state of Kansas.  The person said that within 30 minutes of him reporting what he found to officials in Kansas, the data was no longer publicly available.

Likely the data had been publicly available for months.

What is interesting here is not that Systema screwed up or that data records for Workers compensation claims were exposed, but rather that as we move more and more information to the cloud, the opportunity for human error to make data that should be private public increases.

If Systema stored these records on a file server in their office instead of in the cloud and they screwed up the permissions, then maybe some people in their office might be able to see data that they should not see.

However, if you store this data in the Amazon cloud and screw up the permissions, then the potential is that anyone in the world might be able to see it.

The interesting question is whether this is a HIPAA breach.  Some of the businesses involved with this may not be HIPAA “Covered Entities” while others may be “Business Associates” of covered entities.  It seems likely that it violated state privacy laws due to the financial data exposed.

As of right now, no one has posted a breach notice on their web site other than databreaches.

In fairness to the states involved such as Kansas, Utah and California, this revelation of the breach is only a few weeks old, so they are likely still trying to figure out what was compromised, who is responsible, etc.

This is a reason why having an incident response plan in place before a breach is important.  Even with one, it still takes time to sort things out.

But this breach does point out the obvious – when you put things in the cloud, it is critical that you set the access permissions correctly!

Information for this post came from ,

Leave a Reply

Your email address will not be published.