Health data, contractors and cloud form another perfect storm

Health records and disability claim forms for more than a million residents in states like Kansas and Utah local governments washed up on Amazon’s cloud – the latest example of the combustible mix of health data, third party contractors and cloud based applications.

Malicious attacks on healthcare providers are nothing new. But the sad truth is that most health care data breaches are accidental rather than malicious. Simply put: healthcare providers are much more likely to lose track of patient records and other sensitive data than they are to have it stolen from them by “advanced, sophisticated” cyber adversaries.

An incident that made the news this week helps underscore the reasons for that – and also suggests reasons why the problem may get worse before it gets better.

As reported by website, information on more than a million individuals was exposed when entire, unencrypted and unsecured databases washed up on a virtual server hosted on Amazon’s AWS cloud infrastructure. Included in those databases was personal and financial information on residents of the state of Kansas who had business before the Kansas State Self Insurance Fund, schools and universities that did business with CSAC Excess Insurance Authority (EIA), an insurance risk sharing pool for public entities in the state of California, the Golden State Risk Management Authority, and a reported 29,000 employees of Salt Lake County, Utah who filed workers' compensation claims, as well as customers of a wide range of other insurance providers.

The common thread? The firm Systema Software of Larkspur, California, which provides claims administration software and services to the insurance industry. According to, the databases were all found on a publicly available subdomain on AWS that was associated with Systema.

Systema did not respond to requests for an interview and has issued a public statement addressing the breach.

While the exact circumstances of the breach are not known, a statement by Salt Lake City Mayor Ben McAdams, released on Monday, said the data on county workers may have been accessible since June 18 of this year. The statement pinned the blame on a “scheduled upgrade by a software services company retained by the County,” suggesting that Systema may have backed up customer databases to a publicly addressable AWS server.

The full extent of the breach isn’t known. But the details of the incident suggest it is yet another incident in which a toxic combination of health data, cloud based applications and loose security practices have led to the exposure of sensitive personal information.

In that sense, the incident isn’t that dissimilar from others involving health data. As I noted in July, over a million patients of more than 230 hospitals, doctors offices and clinics had patient data exposed in a May hack of a Fort Wayne, Indiana firm Medical Informatics Engineering (MIE) and its NoMoreClipBoard electronic health records system. On a smaller scale, St. Elizabeth’s Hospital in Boston received a $218,000 fine in July from the Department of Health and Human Services after HHS’s Office of Civil Rights discovered that clinical staff were parking electronic protected health information on the cloud using an “Internet-based document sharing application.” That is a violation of the federal HIPAA patient privacy law.

Clearly, these incidents suggest that there’s a lurking problem out there in the health field. And, as I said, it is a problem that is poised to get worse. On the one hand, the embrace of web-based applications and the healthcare sector’s heavy reliance on third party providers have benefits: increased customer service and lower costs are among them. But the companies providing these services too often exhibit a lackadaisical approach to securing IT and hardening their applications to outside attack.

And, as both the MIE and the Systema incidents show us: when service providers stumble and fall, or are victimized, the ripple effects can be felt far and wide. In the MIE breach, for example, close to one in four residents of the State of Indiana had their medical information exposed.

What is the solution? There is no simple answer. Firms that are trading in protected health information need to pay close attention to how that data is handled and ensure that it is secured both at rest and in transit. Loose practices around critical functions like software updates, data migration, data backups and the like are a recipe for disaster. Protections that prevent sensitive data from escaping from sensitive environments are a must.

Health and service providers also need to start asking more specifically about the data security practices of companies that they contract with. As the Systema incident suggests: the best application security procedures don’t matter much if staff are dumping entire databases – including administrator credentials – onto unprotected AWS instances. While no company is likely to admit to such foolery up front, companies can build protections into their service agreements that raise the cost to providers who slack off or fail to live up to their word.

Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.

Paul Roberts

Please post your comments here

Dan Geer: The 5 Myths Holding Your Security Program Back

Use this eBook to find out if any of these myths are hurting your security program.

Download now

Related Articles
2015 Midyear Review: The Biggest Data Breaches Year to Date

2015 has been full of data breaches thus far, and it seems that personal and health records are attackers’ top targets. With the first half of 2015 in the books, let’s take a look back at some of the biggest and most impactful data breaches that have occurred.

FCC, AT&T Reach $25M Settlement Over Insider Data Breach

FCC is on the data breach case, fining AT&T $25M for an insider data breach that took place from 2013-2014.

In the Wake of the Year of the Data Breach, Do we Need a Sarbanes Oxley for IT?

When scandals roil Wall Street or Corporate Boards, federal regulations soon follow. Five years into our data theft epidemic, however, there’s still no law demanding accountability for information security.