How Did A Simple Mistake Lead To A HIPAA Violation?

Configuring online storage banks takes a close eye, as one mistake can lead to a data breach.

Amid the global reaction to the Coronavirus and the world-wide push to develop a vaccine, drug manufacturers and developers have all eyes on them.

This has led to spiking stock prices and wild speculation as companies are awarded government funding, start trials, and finally announce results.

Hackers and cybercriminals are also targeting the healthcare sector, and amid a flurry of healthcare data breaches, pharmaceutical giant Pfizer presented a sobering reminder of how a seemingly trivial mistake can lead to a data leak.

Discovered by vpnMentor’s cyber security research team, the breach occurred due to a misconfigured google cloud storage bucket that, once found, granted free access to unsecured and unencrypted patient data.

The exposed data included transcripts of chat conversations between customers and the company’s automated chat program, regarding refills of medication and side effects. The transcripts included complete names, addresses, email addresses, and even partial data on health and medical status. All of this data could be used by bad actors to send phishing emails, intercept medications, or impersonate either patients or drug companies to nefarious ends.

Misconfigured cloud storage is nothing new. Breaches have been occurring due to this mistake on a regular basis. In a survey of over 2,000 Google cloud buckets, Comparitech found that 6% were unsecured, meaning that with the correct URL, anyone can access and download the data. Amazon’s S3 buckets are also often found exposed.

[block quote] “Given increased reliance on cloud hosted systems and decentralized systems, it is incredibly important that IT and security teams educate themselves on the various access control settings for the cloud services they use,” Joe Moles, vice president of customer security operations at Red Canary, said via email. “At the end of the day this is a symptom of immature IT hygiene. Most of this risk can be reduced through maturing processes to better track configuration, inventory, etc. Simply put: Better security through better IT.”