Over a Million PHI Records Dump Off Systema Software

Kate Knibbs from Gizmodo started writing last last night about Systema Software, a small software company hosted in AWS (Amazon Web Services) who’s infosec practices led to a pretty large “breach” or exposure and of healthcare records to the curious, general public.

I’m not sure why Knibbs decided to associate Amazon with this breach; her approach to writing her piece is almost purposeful in attempting to blame Amazon for the horrible practice of posting PHI to a publicly accessible share.

It is interesting to note that AWS has a very robust security infrastructure and furthermore has very strong legal language and requirements in their Business Associate Agreements, where they require all clients to comply with basic HIPAA controls and requirements.

The data dump and records seem to be largely comprised of image scans of various insurance forms processed by Systema. It will be also interesting to see if AWS will dump Systema as a customer after this breach.

Knibbs writes:

Police injury reports, drug tests, detailed doctor visit notes, social security numbers—all were inexplicably unveiled on a public subdomain of Amazon Web Services. Welcome to the next big data breach horrorshow. Instead of hackers, it’s old-fashioned neglect that exposed your most sensitive information.

Texas tech enthusiast Chris Vickery had heard strange data dumps could turn up on Amazon’s cloud computing platform, so he started combing through. In early September, he found an enormous data breach that left the private medical information of millions of Americans sitting in the open online.

“It just kind of fell into my lap,” he told Gizmodo.

After Vickery downloaded the data and realized what it was, he started contacting the organizations impacted. Among those exposed: Kansas’ State Self Insurance Fund, CSAC Excess Insurance Authority, and the Salt Lake County Database.

And there was more:

Vickery claims that when he spoke with Smith, the COO told him the data was left visible due to a contractor’s mistake. We have reached out for comment to Systema, and other companies affected by the breach, and will update as we know more.

Tomorrow, Vickery will turn over the data to the the Texas Attorney General, where it will be destroyed. But that doesn’t mean Systema is in the clear. Vickers may not be the only person who downloaded those millions of records as they sat out in the Amazon cloud.

We don’t know how long the information was available for everyone to see. But no matter what the timeframe, the neglect could be a HIPAA violation: Systema failed to protect the security of patients’ electronic medical information.

While Systema may have gotten lucky this time, the gravity of this type of neglect shouldn’t be ignored. Yes, maybe no bad actors saw it. But a company entrusted with some of the most personal records of millions of people somehow managed to bungle safeguarding it to such a degree that a random dude found it online.

This is actually a pretty horrifying experience for the users affected by this breach. To assume that this is a limited breach is a really bad idea and a poor security practice; Systema, or the users responsible for making these documents public should be ashamed of themselves.

Here are some sanitized screenshots of the documents obtained.

Screen Shot 2015-09-18 at 10.22.36 AM

Screen Shot 2015-09-18 at 10.29.57 AM

Screen Shot 2015-09-18 at 10.30.29 AM