The private health records and contact information for as many as 1.5 million Americans have been found out in the open on Amazon's cloud services.
It has been claimed that the names, addresses, and phone numbers, along with biological health information including existing illnesses and current medications, were posted in the clear to Amazon S3 storage servers by insurers using Systema Software.
It is unknown how the information was uploaded, while the number of affected patients remained unconfirmed at time of publication.
The records were stored in an SQL database, and found under the URL
Kansas’ State Self Insurance Fund, CSAC Excess Insurance Authority and the Salt Lake County Database are known to be affected.
Texan techie Chris Vickery spotted the files on Amazon web servers and reported the breach to Systema Software.
The company has since warned its affected customers and had began an investigation into what went wrong.
He estimated that roughly one million social security numbers, five million financial transactions, and hundreds of thousands of injury reports had been exposed.
The databases also included password hashes, login names and session information.
Vickery has worked with the state attorney general's office to wipe the records from his hard drives and has cooperated with investigators.
Systema Software said in a statement that initial reviews indicate Vickery was the only unauthorised user to have accessed the files.
"While our investigation is still ongoing, it is important to note that, based on our initial review, we have no indication that any data has been used inappropriately," the company said.
Databreaches.net first reported the breach and said that exposed information included billing prices, various patient identification numbers, and some 4.7 million note entries including data on fraud investigations.
Some of the notes apparently included data on legal matters. One cited by Vickery detailed an apparent raid of medical marijuana plants. ®