This is the story of how mapping and analysis of an open elastic search led to the discovery of a misconfigured Amazon s3 bucket that exposed data from hundreds of thousands of dental patients.
If you live in Brazil, you may already be experiencing breach fatigue from having had so much of your personal and medical information exposed online. But if you use a dentist in Brazil, the chances are good that your dental information may also have been exposed — if your dentist uses Dental Office software by Roger Software and has their patient data hosted by them.
Roger Software (RH Software) is a well-established Brazilian firm that offers software for dental practices, medical practices, and physiotherapy practices. In this case, some exposed data related to Dental Office was first discovered in an open elastic search in September. The exposed information was very basic and incomplete, but one of the data fields contained a URL to a prefilled s3 bucket linking to a default user’s photo. Inspection of the exposed data led to the discovery of a second Amazon s3 bucket. This second — and misconfigured — bucket was exposing more than 800,000 images from patients of Dental Office clients. In total, there appeared to be approximately 1,300 Dental Office clients and 300,000 total patients.
The exposed patient data included information on missed appointments going back to 2012, and older documents dated from 2008 – 2012. Most of the uploaded files appeared to be from 2012, so the older files were likely scanned in as part of the entities switching over to digital records. There were also some photos that may have been personal photos uploaded by clients, but most of the image files were patients’ facial images from different angles with dental x-rays, dental reports, or documents. All files were in image format. Some contained personally identifiable information (PII) or protected health information (PHI) such as name, age, doctor, and location, as well as other personal medical information, but from the photos alone, the patients would be identifiable. Some of the photos were of young children.
Attribution to Roger Software was relatively easy after inspection of one folder on the bucket, and on October 26, this researcher contacted Roger Software about the misconfigured bucket, giving them the URL and noting that approximately 800,000 files were exposed.
Within 24 hours, the bucket was secured, but Roger Software did not send any acknowledgment of the notification. DataBreaches.net then reached out to them to ask them whether they intended to notify their clients of the incident or any patients. Not surprisingly, no response was immediately provided. This post will be updated if the software firm responds, but it is not clear whether notification would even be required under Brazilian law. For those curious about that aspect, DLA Piper provided a summary in January 2019 of Brazil’s notification criteria and requirements. You can find their summary here.
While a leak involving a medical or dental practice is not new, this incident serves as a timely reminder that sometimes, having your software provider host your patient data may leave you more vulnerable than you might expect. While cloud solutions are hailed as being better and more secure than desktop solutions that may not be updated or patched quickly and that may not be monitored by full-time security personnel, having a third party host your patient data is not a panacea. The third party may forget to reinstall a firewall after an upgrade, or they may have a rogue employee who is copying and exfiltrating your assets, they may themselves fall prey to a phishing attack or a ransomware attack, or they may just screw up. As we all know, there just is no perfect security.
Reporting by Lee J. Editing by Dissent.