This article is more than 1 year old
Rotherwood Healthcare AWS bucket security fail left elderly patients' DNR choices freely readable online
Plus birth certificates, job interview data and more
A leak of 10,000 records at a Leicestershire care home provider exposed elderly patients' wishes not to be resuscitated, detailed care plans and precisely how much councils paid for individual patients' care.
Not only did Rotherwood Care Group, trading as Rotherwood Healthcare, leave an Amazon Web Services S3 bucket accessible to everyone on the internet, the British company’s website privacy policy consisted solely of lorem ipsum placeholder text.
The leak came from an S3 bucket that was left unsecured. The Register was alerted to it by a security researcher who also informed his nearest branch of the GCHQ-sponsored Cyber Protect network.
When The Register contacted Rotherwood to ensure the open data was closed off prior to publication of this article, the company responded with lawyers' letters.
Rotherwood Healthcare's online privacy policy. It can be read here.
Lorem ipsum, sometimes known as lipsum, is default placeholder text used in design and publishing.
The unsecured S3 bucket appeared to be powering Rotherwood's internal system, a CRM-style software suite that looks to be used to capture and store essential data about staff and patients alike.
Around 10,000 individual files were left exposed in the bucket. Among those were internal care plan audits. Prepared for care home staff to assess whether care plans themselves were fit for use, these documents not only included patients’ full names and health conditions but also their “DNACPR” (resuscitation) choices.
Scans of what appeared to be staff members’ passports and birth certificates were also in the bucket, along with job interview questions and answers.
Emails from local councils confirming exactly how much they were paying towards residents’ stays were also freely accessible to anyone visiting the bucket, along with details about patient-specific specialist medical equipment.
To its credit, the business closed off the bucket from public access within a day of being informed.
A Rotherwood spokesman told The Register: “We at Rotherwood Group take the protection of personal data very seriously. Once we became aware of a security issue affecting some data held on our cloud-based system, we took immediate steps to rectify it. We are not aware of any data misuse and we are continuing to investigate this matter, including liaising with the ICO.”
There is no excuse in this day and age for AWS buckets to be left unsecured. Amazon provides tools for detecting and closing off inappropriately opened buckets – you can find a plain-English overview of these tools here – while plenty of companies have been caught out exposing sensitive personal and commercial information alike since the inception of public cloud storage.
One such example was Teletext Holidays last year, which was exposing call recordings that included credit card number tones generated from phone keypad inputs. ®