Developer hangs patient data out in a cloud—for two years

The University of Iowa Health Care (UIHC) recently sent letters to 5,300-plus patients whose personal identifying data was left exposed for more than two years (May 2015 to 2017) by an unidentified employee. The UIHC explained to their patients that during the course of developing a UIHC web application, one of their software developers pushed the data to an open-source website used for storage (not further identified) and also used by web developers.

How was the data discovered? The Iowa City Press-Citizen tells us that an unidentified security expert notified UIHC on April 29, 2017, (a Saturday) that their data was hanging out for any to access, and on May 1, 2017, UIHC removed the files. 

The above scenario is a bit of déjà vu for those who have been following the recent instances of entities carelessly allowing their data to be hosted in environments where anyone with the link URL could access the data. Most recently, this occurred with 14 million Verizon customers whose data was found sitting in a misconfigured Amazon Web Services (AWS) data store, and when Deep Root’s misconfigured AWS data store was discovered, which exposed data on hundreds of millions of U.S. voters. Perhaps the UIHC data store was also AWS. Another case is when Booz Allen Hamilton learned  they had exposed files connected with the National Geospatial-Intelligence Agency, again on a misconfigured AWS data storage.

The Privacy Rights Clearinghouse lists a number of instances where the University of Iowa had data exposed, and this was not the first instance of personal identifying information (PII) finding its way to being inadvertently exposed. Indeed, in 2008, the University of Iowa’s School of Engineering inadvertently exposed information on former students, including Social Security numbers, for a period of several months. And according to Health IT Security, a 2012 audit of the UIHC found that 250 laptops containing patient information, though password protected, were not encrypted, thus sending a warning to UIHC on the need to protect patient information.

According to The Gazette (Cedar Rapids), UIHC has promised to tighten up their security protocols and enhance employee training with respect to data privacy. Advice to those whose data was included in the exposed data set: “Watch your explanation of benefits (EOB) for any suspicious activity.”  

UIHC’s reaction to the notification that their patient information was available for all to see was text-book correct. They neutralized the threat, deleting the information. They conducted an internal investigation in conjunction with the unidentified storage provider to determine what the audit trails showed. They then informed those affected and provided the necessary action to protect any affected individuals downstream.

The ubiquitous nature of free or low-cost cloud storage within the cloud storage market makes it an attractive choice for development teams and those creating data sets for analysis. CISOs will be well served to go to school on the UIHC experience and educate their trusted insiders on the need to protect PII always—not just in production, but also in development.