Breach Notification , Cloud Security , Governance & Risk Management
Health Data for Millions Deleted From Cloud Bucket
Benefits Administrator Says AWS S3 Bucket Was Breached20/20 Eye Care and Hearing Care Network, a vision and hearing benefits administrator, is notifying nearly 3.3 million individuals that their personal and health information contained in an Amazon Web Services cloud storage bucket was accessed or downloaded - and then deleted - by an "unknown" actor in January.
See Also: Forrester Top 35 Global Breaches Report: Balance Defense with Defensibility
In a May 28 breach report filed with the Maine attorney general's office, the Fort Lauderdale, Florida-based company says that on Jan. 11, it was alerted to "suspicious activity" in its Amazon Web Services environment. The company says it reported the incident to the FBI, the U.S. Department of Health and Human Services and various state regulators.
As of Wednesday, the 20/20 Eye Care and Hearing Care Network breach was not yet posted on the HHS HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
But the company's report to Maine's attorney general notes that the incident affected 221 state residents and nearly 3.3 million individuals in total, which would rank the incident among the largest health data breaches reported to regulators so far in 2021.
'Insider Wrongdoing'
In its report to the Maine attorney general, the company described the incident as involving "insider wrongdoing," even though the breach notification to affected individuals says the breach involved "an unknown person(s)."
The company did not immediately respond to Information Security Media Group's request for more details.
In its notification statement, 20/20 Eye Care and Hearing Care Network notes that its investigation determined that on Jan. 11, "data was potentially removed from the S3 buckets hosted in AWS and all the data in the S3 buckets was then deleted."
The company says its investigation determined that information that may have been subject to unauthorized access includes name, address, Social Security number, member identification number, date of birth and health insurance information.
"We do not think there is any actual misuse of your personal or vision/hearing insurance information, but we don’t know for sure," the company's notification statement says.
"A cybersecurity firm looked into the incident for us and could not tell which files were seen or deleted by the unknown person(s). Thus, we looked at all the information on the system that could have been seen or deleted to see if your information was involved."
The company is offering those affected 12 months of free credit monitoring, identity restoration services and fraud consultation through TransUnion.
"Additionally, 20/20 is providing impacted individuals with guidance on how to better protect against identity theft and fraud, including advising individuals to report any suspected incidents of identity theft or fraud to their credit card company and/or bank," the company's statement notes.
In response to the discovery of the suspicious activity in January, "access credentials to the AWS environment were reviewed and deactivated/reset, and other responsive security measures were immediately put into place," the company' breach notification statement says.
Data Deletion Activity
While many ransomware incidents have involved the exfiltration of data under the threat of selling it or exposing it, breaches involving the deletion of data appear to be rare.
Last July, independent security researcher Volodymyr "Bob" Diachenko reported his discovery of an unprotected database with information on 3.1 million patients that was exposed to the internet (see: Unsecured Database Exposed on Web - Then Deleted).
That database appeared to be owned by Adit, a Houston-based online medical appointment and patient management software company.
In an unusual development, several days later, the database appeared to have been deleted by a “Meow" bot, the researcher said.
“Unlike other malicious bots that find and delete exposed data, a 'Meow' bot doesn’t ask for a ransom, which has led some to believe the bot is actually benevolent and aims to protect data subjects’ information,” he wrote.
Data Backup
Tom Walsh, president of privacy and security consultancy tw-Security, says organizations that store data in the cloud must ensure they have "a well-defined data backup plan that includes keeping the database securely replicated elsewhere, rather than relying solely on AWS for storage and backup."
Organizations also must ensure they have an accurate inventory of their S3 buckets, says Jon Moore, chief risk officer at privacy and security consulting firm Clearwater.
They also should "have secure baseline configuration for the buckets, a configuration management policy and technology to make sure that any changes in configuration are managed and unauthorized changes prevented," he says.
Entities should perform regular testing to make sure these controls are working as intended, he says. "Finally, they should grant access to the buckets to only those who need it, require unique credentials and implement, if possible multifactor authentication."