Public Option: How Medical Records and Patient-Doctor Recordings Were Exposed

Last updated by UpGuard on October 31, 2018

The UpGuard Cyber Risk team can now disclose that detailed medical information for employees of 181 business locations, as well as personally identifiable information (PII) for nearly 3,000 individuals was publicly exposed in an unsecured Amazon S3 storage bucket belonging to Medcall Healthcare Advisors (CSTAR score: 342), a “Workers Compensation and Healthcare Solutions” provider. Medcall’s workers compensation line of services act as an intermediary between employees and emergency care, with Medcall operators taking calls from enlisted persons, gathering information about them and their issue, and then connecting them with “someone board certified in emergency medicine.”

Included in the exposed 7 gigabyte datastore were PDF injury intake forms for 181 different business locations across America, with PII, descriptions of injury and sickness, and details about the patient’s employment and employer. Also present were recordings of phone calls between patients, Medcall operators, and doctors. Finally, a directory of comma separated values (CSV) files contained PII including full Social Security Number for nearly 3,000 individuals enrolled through Medcall’s services.

Although the number of affected individuals is relatively small when it comes to other data breaches UpGuard has reported, this incident serves as an example of how third and fourth party risk can compromise the privacy of individuals and companies if data handling practices are not properly monitored and controlled. Medical information is not just exploitable, but extremely personal, intimate, and its exposure entails more than just the possibility of fraud that accompanies all PII, a fact underlying the privileged status of the doctor-patient relationship.

For additional coverage of this incident, see databreaches.net.

The Discovery
On August 24th, 2018 a member of the UpGuard cyber risk team discovered an insecure Amazon S3 storage bucket with the name “medcall.” The UpGuard cyber risk team began analysis of the contents of the bucket and determined it was extremely sensitive, with PII for thousands of people being exposed. The bucket was publicly writable, as was the ACL permission set, which had an “Everyone - Full Control” statement. The owner of the bucket was attributed to be Medcall Healthcare Advisors through multiple factors, including the name of the bucket, the username listed in the ACL permissions, “randy”, and the contents themselves, which include PDFs with Medcall letterhead and Medcall representatives in the recordings. On the afternoon of August 30th, UpGuard notified Medcall CEO Randy Baker about the exposure via email. By 9:30AM the next day, August 31st, the medcall bucket had been closed, preventing any future malicious use of the data.

The permissions of the medcall bucket at the time of discovery.
The permissions of the medcall bucket at the time of discovery.

In addition to the exposure created by publicly readable assets, the medcall bucket was publicly writable as well, meaning any anonymous user could add, change, or delete files from the store. Furthermore, the permissions themselves were publicly writable, creating the potential for other malicious scenarios, such as the bucket owner being locked out of the resource entirely. Misconfigured S3 buckets remain a problem for companies of all sizes. The ‘everyone’ group should almost never be used, much less granted full control. Our full blog post on securing Amazon S3 buckets can be found here.

The Contents
There were several types of sensitive files inside the medcall bucket:

Folder Name File Count Description
injury-intake-call-recordings 667 files Recordings of calls for Medcall's Workman's Comp service.
emr-call-recordings 48 files Recordings of calls for Medcall's individual subscriber service.
injury-intake 1149 files PDF intake processing forms for Medcall's Workman Comp service. 
pdf 1749 files Various PDF documents and forms.
csv 310 files CSV files of PII for Medcall individual subscribers.
electronic report 84 files Various PDF documents and forms.

 

Call Recordings (715 files) - These folders contained audio files of recorded phone calls between employees, Medcall operators, and doctors. There is PII discussed in these calls, as well as medical problems and injury reports. Among the audio files are also a handful of recorded video calls. 

Example of phone call recordings stored in the exposed Medcall S3 bucket. Many filenames contained patient names and other details.
Example of phone call recordings stored in the exposed Medcall S3 bucket. Many filenames contained patient names and other details.

PDF Documents (2982 files) - This collection of PDF files are primarily intake reports with PII, full social security numbers, injury and sickness descriptions, current medications, and other typical medical intake data. Also present are chart notes, including symptoms, diagnoses, medication prescribed, and other details. Medcall instructional documents, test documents and other assorted business files were also present in small numbers.

Screen Shot 2018-08-27 at 8.46.32 AM
Redacted example of a Medcall intake form.

Redacted example of a Medcall Intake form.
Redacted example of a Medcall intake form.

Redacted example of the “Employers Section” on a Medcall intake form.
Redacted example of the “Employers Section” on a Medcall intake form.

Screen Shot 2018-08-27 at 8.49.52 AM
Redacted example of a Medcall injury report.

Redacted example of Medcall chart notes, with doctor diagnosis and action plan.
Redacted example of Medcall chart notes, with doctor diagnosis and action plan.

CSV Files - The CSV files in this folder contain PII details including name, address, DOB, phone number, email address, full social security number, gender, and coverage level. Of the 310 files in the csv folder, one file, named 1487424421Base MedCallEligibilityReport_2017-02-17 07_00_16.csv contained the bulk of the data, with approximately 2900 rows of information on almost as many individuals. The other files were much smaller and seemed to contain the same people present in the main file, so their count was omitted from this number. The “description” field identified the patient as the primary, spouse, or child. Of the approximately 2900 individuals, 540 entries identified the person as a child.  While it was not feasible to identify the natural person behind each of these entries, UpGuard analysts checked several individuals and consistently found corroborating evidence that matched their location, age, and gender. The headers present in this CSV were as follows:

• Patient ID/Auth Code (Medcall unique identifier)  Coverage Level (Single, Married, Children, or Family)
 Description  Full Name
 Email  Home Address (City, State, Zip)
 Fixed Phone  Cell Phone
 Gender  Date of Birth
 Effective Date (of coverage, and cancelation where applicable)  Social Security Number

 

Screen Shot 2018-08-27 at 8.48.41 AM
Redacted example of the Medcall CSV file, with column names.

Screen Shot 2018-09-12 at 9.50.24 AM

Redacted example of the Medcall CSV file as viewed using Numbers

The Significance
According to its website, “MedCall Advisors is a comprehensive tele-emergent care medical service utilizing technology to immediately connect anyone experiencing a medical event with a physician Board Certified in Emergency Medicine.  Plan participants are able to access physicians through multiple mediums. Landline calls, smart phones and computers provide both audio and video consultations.”

Exposed in the medcall dataset were 181 business locations across the United States, with nearly 150 unique businesses. Many of the affected companies are transportation businesses, while the others are comprised of a variety of different industries, including local government entities like county boards and school districts, and individual locations of large franchise chains, like Piggly Wiggly, KFC, and Hampton Inn. The full list of business locations with at least one exposed medical intake report for an employee are listed below. Almost all of Medcall's worker's compensation clients go through a distributor, these being Key RiskPeoplease, and W.R. Berkley.  The scope of affected businesses illustrates how an exposure for a single entity in a supply chain creates ripples throughout the entire digital ecosystem. 

 Distributor Affected Company State
Key Risk 1888 Mills, LLC GA
Key Risk 1st Choice Staffing, LLP PA
Key Risk Adfinitas Management, LLC MD
Berkley Mid Atlantic Advanced Office Systems, Inc. PA
Berkley Southeast Airstream Heating and Cooling, LLC TN
Peoplease Aleva Trucking & Produce, LLC GA
Key Risk Allendale Barnwell Disabilities and Special Needs Board SC
Key Risk Allentown School District PA
Key Risk American Transmed SC
Key Risk Angel Management Inc. (Brightstar Care) MD
Peoplease Apex PTO & Trailer, Inc. NC
Peoplease AR Paquette & Company FL
Key Risk Ashe County NC
Key Risk Asset Management & Consulting Services SC
Key Risk Associated Community Services, Inc. MD
  Atlanta Commercial Tire GA
Peoplease B and S Holdings, LLC (AGX Carriers) SC
Key Risk Bacon Enterprises (KFC) VA
  BD & K Foods GA
Key Risk Blue Ridge Area Foundation NC
Key Risk Brookland Baptist Church SC
Peoplease Bulldog Hiway Express AL
Peoplease Bulldog Hiway Express SC
Peoplease Burns and Sons Trucking, Inc. CA
Key Risk Butler Medical Transport LLC MD
Key Risk Cambridge Healthcare Management, LLC VA
Key Risk Candler County Board of Education GA
Key Risk Care Sense Health and Care Sense Home Care PA
Peoplease CDS Management, LLC AZ
Key Risk Chapel Valley Landscape Company VA
Key Risk Charlton County Board of Education GA
  Child Guidance Resource Center PA
Key Risk City of Greenville GA
Peoplease Conner Logistics, Inc. CA
Peoplease Contracted Driver Services AZ
Peoplease Contracted Driver Services TX
Peoplease Corriher Trucking, Inc. NC
Key Risk County of Pickens SC
Peoplease Crystal Transportation Services dba Guardian Logistics Solutions NC
Key Risk CVSC, LLC dba Caravita Homecare, LLC GA
Peoplease Dan Palmer Trucking, Inc. CA
Peoplease DaRan, Inc. MN
Peoplease Daseke, Inc. dba J Grady Randolph, Inc. SC
Key Risk Davis Memorial Goodwill Industries Inc. VA
Key Risk Dedicated Nursing Associates, Inc. WV
Peoplease Delaware Valley Shippers, Inc. PA
Peoplease Deluxe Auto Carriers, Inc. CA
Peoplease Domino Transport IL
Key Risk Easter Seals MD
Peoplease Express Trucking & Courier, Inc. NY
Key Risk First Care Health Services, Inc. VA
Key Risk Fitch Irick Partners, LLC / GEM Management, Inc. NC
Key Risk Five Star Home Health Care, LLC VA
Peoplease Florilli Transportation IA
Key Risk Founder's Group International, LLC SC
Peoplease Fox Transportation, Inc. CA
Peoplease Frank's Vacuum Truck Service NY
Key Risk Franklin Special School District TN
Peoplease FSI Enterprises, Inc. NC
Key Risk Gardner Glass NC
Key Risk GEM Management SC
Key Risk Girl Scouts North Carolina Coastal Pines, Inc. NC
  Goodwill Industries of Northwest NC NC
Berkley Mid Atlantic Graham Dairy Supply, Inc. PA
Key Risk Graham Personnel Services, Inc. NC
Key Risk GT Marine and Outdoors, Inc. FL
Berkley Southeast H&F Bread Co. GA
Key Risk Hampton Inn SC
Peoplease Harvey Holdings, Inc. (Harvey Trucking) NC
Peoplease Heritage Hauling, Inc. SC
Key Risk Hilton Garden Inn GA
Key Risk Historyland Nursery, Inc. VA
Key Risk Hoge Motor Company TN
Peoplease Holland Transfer Company NC
Peoplease Honey Transport, Inc. CA
Key Risk Hope House Foundation VA
Peoplease Houser Transport, Inc. CA
Key Risk I.K. Hofmann, Inc. GA
Key Risk IFB Solutions (Winston Salem Industries for the Blind) FL
Peoplease Innovative Driver Services Company GA
Peoplease Innovative Driver Services Company SC
Peoplease Innovative Intermodal Inc. IL
Key Risk International Marina Group I, LP TX
Berkley Mid Atlantic J and K Door and Hardware dba Gerald & Lisa Welch PA
Peoplease JD Associates LLC FL
Key Risk JIT Warehousing & Logistics LLC GA
Peoplease John Curry, Inc. PA
Key Risk Johnson Nursery Corporation NC
Peoplease JP Express NJ
Peoplease JP Express NY
Peoplease JP Express PA
Peoplease JV Transportation Consultants, Inc. NJ
Berkley Entertainment LA County Fair Association CA
  La Parrilla Mexican Restaurant GA
Key Risk Landshark Bar & Grill NC
Berkley Mid Atlantic Latrobe Window Cleaning PA
Key Risk Lifeline Animal Project, Inc. GA
Peoplease Liquid Cargo of New Jersey, LLC NJ
Peoplease Lisk Trucking NC
Peoplease MMX Transportation, Inc. fka Star Leasing, Inc. NC
Key Risk Murrow's Transfer, Inc. GA
Key Risk Murrow's Transfer, Inc. NC
Key Risk National Counseling Group, Inc. VA
Key Risk Nature's Calling SC
Key Risk Newberry County DSN Board SC
Peoplease Numark Transportation, Inc. CA
Key Risk Oconee County School District SC
Key Risk Orangeburg County Disabilities and Special Needs Board SC
Key Risk Paragon Hotel Company SC
Peoplease Parts Distribution Xpress Inc. PA
Peoplease PHB, Inc. AL
Peoplease PHB, Inc. FL
Peoplease PHB, Inc. NY
Peoplease PHB, Inc. WI
Key Risk Piggly Wiggly Central, Inc. SC
Peoplease Pinnacle Transportation Systems, Inc. IN
Peoplease Pittsburgh-Fayette Express, Inc. PA
Enroll First Planet Fitness OK
Berkley Mid Atlantic Plaza Azteca, Inc. PA
Peoplease Postal Fleet Services AL
Peoplease Postal Fleet Services AR
Peoplease Postal Fleet Services FL
Peoplease Postal Fleet Services IA
Peoplease Postal Fleet Services IL
Peoplease Postal Fleet Services IN
Peoplease Postal Fleet Services KY
Peoplease Postal Fleet Services LA
Peoplease Postal Fleet Services MD
Peoplease Postal Fleet Services MN
Peoplease Postal Fleet Services MO
Peoplease Postal Fleet Services NC
Peoplease Postal Fleet Services NE
Peoplease Postal Fleet Services NH
Peoplease Postal Fleet Services NY
Peoplease Postal Fleet Services OK
Peoplease Postal Fleet Services PA
Peoplease Postal Fleet Services SC
Peoplease Postal Fleet Services TN
Peoplease Postal Fleet Services TX
Peoplease Postal Fleet Services VT
Peoplease Postal Fleet Services WV
Peoplease Premier Transportation & Warehousing IL
Peoplease Pro's Logistics, Inc. FL
Key Risk Project Transition PA
Peoplease Quality Logistics, Inc. SC
Peoplease R&R Transportation, Inc. CA
Peoplease R&R Transportation, Inc. MN
Key Risk Right at Home dba Fanorte LLC PA
Key Risk Rock Solid Janitorial, Inc. VA
Peoplease Rolling Enterprises, Inc. GA
Key Risk Ruff Housing NC
Key Risk Safe Harbor of Memphis, Inc. TN
Key Risk Safe Harbor of Nashville, Inc. TN
Key Risk Salisbury Rowan Community Action Agency NC
Peoplease Sexton Farms, LLC GA
Key Risk Shenandoah Valley Community Residences, Inc. VA
Berkley Southeast Slick Pig Bar-B-Q, Inc. TN
Key Risk Social Circle Schools GA
Key Risk Southeastern Container TN
Peoplease Southern Counties Terminals, Inc. (Griley Airfreight) CA
Key Risk Standard Press, Inc. GA
Key Risk Stars and Strikes GA
Peoplease Statesville Distribution Services, Inc. NC
Peoplease Steel Transport, Inc. IN
Key Risk Stier Supply Company, Inc. SC
Key Risk Stonemark Management AL
Key Risk Stonemark Management SC
Peoplease Swift Enterprises LLC TN
Peoplease T.G.S. Transportation, Inc. CA
Key Risk The Sheltering Arms Corporation VA
Key Risk Town of Lexington SC
Key Risk Transmore, Inc. VA
Key Risk Tri-State Distributors, Inc. GA
Peoplease Trinity Transport, Inc. NC
Peoplease Truck Service, Inc. NC
Peoplease TVT Logistics CA
Peoplease Underwood & Weld Co., Inc. NC
Key Risk Visiting Angels/Barbara J. Home Health Agency PA
Peoplease Wayne T. Fellows, Inc. FL
Key Risk Workforce Unlimited, LLC NC
Key Risk YMCA of Northwest North Carolina NC

Companies affected by the Medcall data exposure. The distributor through which the Medcall service was used is present where applicable.

Technology furnishes healthcare services with additional functionality, reduces the time it takes to perform them, and allows those operations to scale without much change in quality for the individual. However, this technological abstraction also introduces new risk, risks that can make otherwise confidential information publicly accessible. The PII present in the Medcall data is more than enough for the individuals within to have had their identities stolen, if a malicious actor were to have accessed it. The medical details reveal an even more private world, that of individuals dealing with their own bodies, and the specialists who help with them.

The healthcare industry has a long history of data privacy issues, because of both the sensitivity of medical data and the complex infrastructure required to manage information at such a scale. The processes by which sensitive information is handled and stored must have controls that prevent exposure, especially when utilizing internet-facing cloud technology. Privacy violations create more distrust in the already divisive relationship between healthcare companies and the people who rely on them.

Conclusion
The digitization of information coupled with internet-facing storage technologies has created an environment where large amounts of information— including sensitive information can be aggregated, centrally stored, and made available anywhere in the world. The advantages this provides are self-evident by now, but the risks taken on by the same factors only become clear when information becomes exposed. It should be the responsibility of any organization that handles sensitive data to protect the integrity of that data with secure systems and controlled processes across their digital presence, including, and perhaps especially, their vendors.

 

Concerned about data breaches?

Subscribe to data breach notifications ›