DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Open wide and say, “Ugh, My Data!!!!!”

Posted on October 27, 2019 by Lee J

This is the story of how mapping and analysis of an open elastic search led to the discovery of a misconfigured Amazon s3 bucket that exposed data from hundreds of thousands of dental patients.

If you live in Brazil, you may already be experiencing breach fatigue from having had so much of your personal and medical information exposed online. But if you use a dentist in Brazil, the chances are good that your dental information may also have been exposed — if your dentist uses Dental Office software by Roger Software and has their patient data hosted by them.

Roger Software (RH Software) is a well-established Brazilian firm that offers software for dental practices, medical practices, and physiotherapy practices. In this case, some exposed data related to Dental Office was first discovered in an open elastic search in September. The exposed information was very basic and incomplete, but one of the data fields contained a URL to a prefilled s3 bucket linking to a default user’s photo. Inspection of the exposed data led to the discovery of a second Amazon s3 bucket. This second — and misconfigured — bucket was exposing more than 800,000 images from patients of Dental Office clients. In total, there appeared to be approximately 1,300 Dental Office clients and 300,000 total patients.

The exposed patient data included information on missed appointments going back to 2012, and older documents dated from 2008 – 2012.  Most of the uploaded files appeared to be from 2012, so the older files were likely scanned in as part of the entities switching over to digital records. There were also some photos that may have been personal photos uploaded by clients, but most of the image files were patients’ facial images from different angles with dental x-rays, dental reports, or documents.  All files were in image format. Some contained personally identifiable information (PII) or protected health information (PHI) such as name, age, doctor, and location, as well as other personal medical information, but from the photos alone, the patients would be identifiable. Some of the photos were of young children.

Attribution to Roger Software was relatively easy after inspection of one folder on the bucket, and on October 26, this researcher contacted Roger Software about the misconfigured bucket, giving them the URL and noting that approximately 800,000 files were exposed.

Within 24 hours, the bucket was secured, but Roger Software did not send any acknowledgment of the notification.  DataBreaches.net then reached out to them to ask them whether they intended to notify their clients of the incident or any patients. Not surprisingly, no response was immediately provided. This post will be updated if the software firm responds, but it is not clear whether notification would even be required under Brazilian law. For those curious about that aspect, DLA Piper provided a summary in January 2019 of Brazil’s notification criteria and requirements. You can find their summary here.

While a leak involving a medical or dental practice is not new, this incident serves as a timely reminder that sometimes, having your software provider host your patient data may leave you more vulnerable than you might expect. While cloud solutions are hailed as being better and more secure than desktop solutions that may not be updated or patched quickly and that may not be monitored by full-time security personnel, having a third party host your patient data is not a panacea. The third party may forget to reinstall a firewall after an upgrade, or they may have a rogue employee who is copying and exfiltrating your assets, they may themselves fall prey to a phishing attack or a ransomware attack, or they may just screw up.  As we all know, there just is no perfect security.


Reporting by Lee J.  Editing by Dissent.

Category: ExposureHealth DataNon-U.S.Of NoteSubcontractor

Post navigation

← Ca: Dozens of patient records stolen from Winnipeg’s Children’s Hospital
UniCredit reveals data breach exposing 3 million customer records →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.