7GB of Medical Data Publicly Exposed Thanks to Misconfigured AWS S3 Bucket

A misconfigured AWS S3 bucket belonging to Medcall Healthcare Advisors exposed sensitive patient records as well as confidential doctor-patient audio discussions. For some reason, the story about the misconfigured AWS S3 bucket keeps repeating itself. Verizon, the Pentagon, Toyota, Tesla and the NSA are among the companies that have fallen victim to the same data breach.

In this case, the data breach was detected on August 24, 2018 by risk specialists from cyber resilience company UpGuard. They reported that as much as 7 gigabytes of data from 181 US-based companies had now been compromised. Medical information including personally identifiable information, sickness descriptions, phone recordings, employment history, the Social Security Numbers of 3000 people and injury forms in pdf could easily be accessed used for a number of illicit activities such as identity theft, fraud or blackmail.

“The bucket was publicly writable, as was the ACL permission set, which had an “Everyone – Full Control” statement,” reads their blog.

On August 30, Medcall CEO Randy Baker was informed about the vulnerability and the bucket was closed immediately.

“MedCall Advisors is a comprehensive tele-emergent care medical service utilizing technology to immediately connect anyone experiencing a medical event with a physician Board Certified in Emergency Medicine. Plan participants are able to access physicians through multiple mediums. Landline calls, smart phones and computers provide both audio and video consultations,” says their official website,

The companies affected are part of various industries, including transportation, school districts and large franchise chains such as KFC and Piggly Wiggly.

Leave a Reply