After multiple unsuccessful attempts to get a popular Japanese medical online consultation site to secure a misconfigured bucket, researchers at SafetyDetectives have decided to publicly disclose the leak.
Doctors Me provides customers with on-demand access to professional medical advice. People can sign up for a monthly unlimited access plan (for less than $3.00 per month) or a per consultation plan with specified experts.
The patients can use the service anonymously, but in uploading pictures or details about themselves or their children, they may reveal identifying information. Some of the image files reportedly provide sufficient views to be able to identify some patients or children.
When first discovered, the misconfigured bucket contained more than 300,000 image files. SafetyDetectives could not provide a firm count of how many unique consumers had personal information exposed, but estimate that there are at least 12,000 unique individuals represented.
The misconfigured bucket was discovered on November 11, 2021. SafetyDetectives notified Doctors Me the same day and sent a follow-up message to the firm and the Japanese Computer Emergency Response Team (CERT) on November 21. On November 25, they sent a second notice to CERT and also contacted Amazon AWS. On December 15 and January 10, they sent more notifications to Japanese CERT. On January 11, CERT informed SafetyDetectives that they contacted Amazon AWS.
Despite SafetyDetectives’ efforts, the bucket still has not been secured. Although Amazon will reach out to let their customers know if they receive reports of unsecured buckets, the responsibility to secure the bucket remains with the customer.
SafetyDetectives could not determine when the bucket was first exposed. Nor could it determine how many individuals or scrapers might have accessed the exposed files. The oldest file in the bucket reportedly dates to 2015, and the bucket was still being updated at the time of discovery.
A spokesperson for SafetyDetectives informed DataBreaches.net that they never received any response at all from Doctors Me. When asked why they decided to disclose the problem at this time, the spokesperson answered:
We always do our best to have the data secured before we publish anything. But sometimes, waiting so much can also be harmful for the data as it gives the opportunity to other actors (with less ethical mindset) to find it and exploit it. We tried several times to contact the company, we also tried the CERT in Japan, the hosting… We’ve used all our resources. Our last chance for the company to know about their misconfiguration is to publish our report and hope they’ll read about it in the news and finally secure it.
Additional details about their findings and possible risks to consumers from this leak can be found in SafetyDetectives’ full report.
Under Japan’s Act on the Protection of Personal Information (APPI), there is an obligation to properly secure personally identifiable information. Was Doctors Me required to notify the government of this incident? Was it required to notify consumers? And if it did have notification obligations, has it complied with them?
DataBreaches.net sent a contact form inquiry to Doctors Me on March 20, asking whether they were notifying patients of the incident, whether they had notified the Personal Information Protection Commission (PIPC), and what they were doing in response to this incident. No reply has been received by the time of this publication.
If anyone has a contact at Doctors Me or knows any of the doctors/experts who might be able to get the firm to lock down the bucket, please let them know about the data exposure.