Thank goodness the good guys found this first. We don't know how long these private medical records were exposed, but for now it seems like we got away with one. This could have been serious, and it may still turn out bad if criminals got a peek.
It feels like every day, we hear of a new medical hack or security breach within hospital systems that leaves millions of people at risk. Well, it's happened again, and this time the vulnerability left over 1 million healthcare recipients exposed to vicious hackers.
It happened out of the blue: A bevy of police reports, drug test results, detailed doctor visits (including extremely private doctor notes) and even Social Security numbers were all accidentally uploaded to a public Amazon Web-based Cloud storage program.
It wasn't long until someone noticed that the file was just sitting there for the taking.
Chris Vickery, a man from Texas who just happened to love technology, saw the open file and hit the download button. After months of digging around, Vickery discovered that Kansas’ State Self Insurance Fund, CSAC Excess Insurance Authority and the Salt Lake County Database were the companies affected most by this breach.
He immediately reached out to the organizations to inform them of the vulnerabilities, and today he will travel to the Texas Attorney General's office to have the files permanently destroyed.
Even though the medical records are to be destroyed from Vickery's computer, that doesn't mean the company who handles these organizations' files is out of the woods. Systema Software is the small company that was responsible for these files and they obviously failed at protecting them.
The company will need to seriously revise its security protocols to continue serving millions of users. And it's already on the way to do so.
Systema reached out to us and requested that we publish the following statement on its behalf:
Systema Software recently became aware that a single individual gained unapproved access into our data storage system containing data belonging to certain Systema clients. In addition to communicating with Systema, this individual also self-reported this discovery to the proper authorities and impacted clients and is in the process of working with the Texas Attorney General to securely wipe all data from his hard drive. While our investigation is still ongoing, it is important to note that, based on our initial review, we have no indication that any data has been used inappropriately. However, out of an abundance of caution, upon learning of this issue, we took immediate action including:
- Launching a comprehensive internal review to identify the scope of the event and necessary remediation measures
- Notifying impacted organizations
- Working closely with state and federal authorities as well as a leading forensic IT firm
The privacy and security of our clients’ information remains our top priority, and we will continue to take the appropriate steps needed to safeguard their information and enhance our data security policies.
But there is a silver lining in this medical records fiasco - it seems as though Vickery was, in fact, the only person to download the open Systema Software file.
"On September 9 the Kansas Department of Health and Environment was notified that a file containing information related to state employees’ worker’s ... had been discovered online. We have worked with our contractor to determine what information was available and to whom it was available. We are confident that all identities remain safe and confidential," the department reported to Gizmodo.
Do you think you could be a victim of this breach? Leave your story in the comments section below.