The UpGuard Cyber Risk team can now disclose that detailed medical information for employees of 181 business locations, as well as personally identifiable information (PII) for nearly 3,000 individuals was publicly exposed in an unsecured Amazon S3 storage bucket belonging to Medcall Healthcare Advisors (CSR score: 342), a “Workers Compensation and Healthcare Solutions” provider. Medcall’s workers compensation line of services act as an intermediary between employees and emergency care, with Medcall operators taking calls from enlisted persons, gathering information about them and their issue, and then connecting them with “someone board certified in emergency medicine.”
Included in the exposed 7 gigabyte datastore were PDF injury intake forms for 181 different business locations across America, with PII, descriptions of injury and sickness, and details about the patient’s employment and employer. Also present were recordings of phone calls between patients, Medcall operators, and doctors. Finally, a directory of comma separated values (CSV) files contained PII including full Social Security Number for nearly 3,000 individuals enrolled through Medcall’s services.
Although the number of affected individuals is relatively small when it comes to other data breaches UpGuard has reported, this incident serves as an example of how third and fourth party risk can compromise the privacy of individuals and companies if data handling practices are not properly monitored and controlled. Medical information is not just exploitable, but extremely personal, intimate, and its exposure entails more than just the possibility of fraud that accompanies all PII, a fact underlying the privileged status of the doctor-patient relationship.
For additional coverage of this incident, see databreaches.net.
On August 24th, 2018 a member of the UpGuard cyber risk team discovered an insecure Amazon S3 storage bucket with the name “medcall.” The UpGuard cyber risk team began analysis of the contents of the bucket and determined it was extremely sensitive, with PII for thousands of people being exposed. The bucket was publicly writable, as was the ACL permission set, which had an “Everyone - Full Control” statement. The owner of the bucket was attributed to be Medcall Healthcare Advisors through multiple factors, including the name of the bucket, the username listed in the ACL permissions, “randy”, and the contents themselves, which include PDFs with Medcall letterhead and Medcall representatives in the recordings. On the afternoon of August 30th, UpGuard notified Medcall CEO Randy Baker about the exposure via email. By 9:30AM the next day, August 31st, the medcall bucket had been closed, preventing any future malicious use of the data.
In addition to the exposure created by publicly readable assets, the medcall bucket was publicly writable as well, meaning any anonymous user could add, change, or delete files from the store. Furthermore, the permissions themselves were publicly writable, creating the potential for other malicious scenarios, such as the bucket owner being locked out of the resource entirely. Misconfigured S3 buckets remain a problem for companies of all sizes. The ‘everyone’ group should almost never be used, much less granted full control. Our full blog post on securing Amazon S3 buckets can be found here.
There were several types of sensitive files inside the medcall bucket:
Call Recordings (715 files) - These folders contained audio files of recorded phone calls between employees, Medcall operators, and doctors. There is PII discussed in these calls, as well as medical problems and injury reports. Among the audio files are also a handful of recorded video calls.
PDF Documents (2982 files) - This collection of PDF files are primarily intake reports with PII, full social security numbers, injury and sickness descriptions, current medications, and other typical medical intake data. Also present are chart notes, including symptoms, diagnoses, medication prescribed, and other details. Medcall instructional documents, test documents and other assorted business files were also present in small numbers.
CSV Files - The CSV files in this folder contain PII details including name, address, DOB, phone number, email address, full social security number, gender, and coverage level. Of the 310 files in the csv folder, one file, named 1487424421Base MedCallEligibilityReport_2017-02-17 07_00_16.csv contained the bulk of the data, with approximately 2900 rows of information on almost as many individuals. The other files were much smaller and seemed to contain the same people present in the main file, so their count was omitted from this number. The “description” field identified the patient as the primary, spouse, or child. Of the approximately 2900 individuals, 540 entries identified the person as a child. While it was not feasible to identify the natural person behind each of these entries, UpGuard analysts checked several individuals and consistently found corroborating evidence that matched their location, age, and gender. The headers present in this CSV were as follows:
According to its website, “MedCall Advisors is a comprehensive tele-emergent care medical service utilizing technology to immediately connect anyone experiencing a medical event with a physician Board Certified in Emergency Medicine. Plan participants are able to access physicians through multiple mediums. Landline calls, smart phones and computers provide both audio and video consultations.”
Exposed in the medcall dataset were 181 business locations across the United States, with nearly 150 unique businesses. Many of the affected companies are transportation businesses, while the others are comprised of a variety of different industries, including local government entities like county boards and school districts, and individual locations of large franchise chains, like Piggly Wiggly, KFC, and Hampton Inn. The full list of business locations with at least one exposed medical intake report for an employee are listed below. Almost all of Medcall's worker's compensation clients go through a distributor, these being Key Risk, Peoplease, and W.R. Berkley. The scope of affected businesses illustrates how an exposure for a single entity in a supply chain creates ripples throughout the entire digital ecosystem.
Technology furnishes healthcare services with additional functionality, reduces the time it takes to perform them, and allows those operations to scale without much change in quality for the individual. However, this technological abstraction also introduces new risk, risks that can make otherwise confidential information publicly accessible. The PII present in the Medcall data is more than enough for the individuals within to have had their identities stolen, if a malicious actor were to have accessed it. The medical details reveal an even more private world, that of individuals dealing with their own bodies, and the specialists who help with them.
The healthcare industry has a long history of data privacy issues, because of both the sensitivity of medical data and the complex infrastructure required to manage information at such a scale. The processes by which sensitive information is handled and stored must have controls that prevent exposure, especially when utilizing internet-facing cloud technology. Privacy violations create more distrust in the already divisive relationship between healthcare companies and the people who rely on them.
The digitization of information coupled with internet-facing storage technologies has created an environment where large amounts of information— including sensitive information— can be aggregated, centrally stored, and made available anywhere in the world. The advantages this provides are self-evident by now, but the risks taken on by the same factors only become clear when information becomes exposed. It should be the responsibility of any organization that handles sensitive data to protect the integrity of that data with secure systems and controlled processes across their digital presence, including, and perhaps especially, their vendors.