Security researchers have discovered that more than 47GB worth of sensitive medical records belonging to an estimated 150,000 Americans were inadvertently left exposed in an unsecured Amazon server. Kromtech Security Researchers said the exposed documents were associated with healthcare firm Patient Home Monitoring (PHM), which provides in-home monitoring and disease management services for patients in the US.

The files were left exposed in a publicly accessible Amazon S3 repository that included about 47.5GB worth of sensitive medical data, including patients' names, addresses, phone numbers, diagnoses and test results. Many records also contained dates of birth and names of physicians overseeing the patients as well.

The bucket included 316,363 PDF reports in the form of weekly blood test results, many of which were multiple reports on individual patients. Each patient appeared to have weekly test results with a total of about 20 files each.

Photo: Newsweek Media Group

Kromtech noted that most of the records seemed to be related to tests conducted over the past summer.

After discovering the exposed S3 bucket on 29 September, the company was officially notified of the issue on 5 October. The database was then secured the next day, but researchers said they did not receive any response from the firm.

"This is yet another wake-up call for companies who try to bridge the gap between healthcare and technology to make sure cybersecurity is also a part of their business model," Alex Kernishniuk, Kromtech's VP of Strategic Alliances, said.

"This Amazon repository was misconfigured to be publically available and anyone with an internet connection could access these confidential medical records. Even the most basic security measures would have prevented this data breach.

"Unfortunately, there are many more databases and cloud storage repositories waiting to be discovered and the Kromtech Security Center is committed to helping to secure and protect data online."

It is unclear how long the files were left exposed or whether it was accessed by anyone else before the company was notified.

International Business Times has contacted PHM for comment.

According to Hipaa's (Health Insurance Portability and Accountability Act) breach notification rule, healthcare providers and any entities covered by Hipaa and their associates must notify affected individuals, the US Department of Health and Human Services Secretary and, in some cases, the media, of a breach involving unsecured protected health information.

The individual notifications must be provided "without unreasonable delay and in no case later than 60 days following the discovery of a breach". In case of a breach affecting more than 500 people of a state or jurisdiction, the company must also inform prominent media outlets serving the area.