After Breach, Mental Healthcare Provider Sues AmazonSalusCare Seeks to Protect Exfiltrated Data Found in AWS Buckets
A Florida-based mental healthcare provider is taking legal steps to help ensure that sensitive patient data that apparently was exfiltrated from its systems and stored in Amazon Web Service buckets is protected from further exposure.
Fort Myers-based SalusCare Inc. says an unknown attacker exfiltrated a database containing "thousands" of its patient and employee files, including sensitive psychiatric and addiction records and Social Security numbers. That data now resides in two AWS buckets, the organization says.
In a lawsuit, SalusCare asked a federal court to order AWS to provide it with “a complete copy of the contents of the cloud-based AWS buckets along with complete audit logs of all transfers of information into and out of the AWS buckets, and thereafter permanently purge all contents of the AWS buckets.”
SalusCare also asked the court to order "John Doe," the unknown hacker, to turn over data stored in the buckets and take the same steps requested of AWS.
Meanwhile, on Thursday, a Florida federal court issued a temporary restraining order preventing AWS from allowing anyone to access the contents of two buckets that SalusCare alleges contain the stolen data.
A second temporary restraining order states: "John Doe, its officers, agents, servants, and employees and any persons in active concert or participation with them are temporarily restrained and enjoined from directly or indirectly accessing, transferring, disclosing, or dealing with any data stolen from SalusCare."
The restraining orders remain in effect until April 8.
SalusCare contends that without the temporary restraining order, the hacker is likely to access the stolen information and sell it. "Because of the nature of the stolen data, its unauthorized disclosure is likely to cause irreparable harm to the privacy, health, credit and finances of SalusCare’s patients and employees," the organization's court filing notes.
"John Doe will likely sell the stolen information on the 'dark web' where it will likely be used to promote identity theft and possible online disclosure - any of which would cause substantial, imminent and irreparable harm to [SalusCare]," the lawsuit states.
The Security Incident
SalusCare says that on March 16, one of its computer technicians responded to reports of a computer slowdown and discovered through audit logs that SalusCare’s server had been hacked and a database copied by an attacker.
The server was protected by passwords given only to SalusCare’s employees, the organization states in its lawsuit.
“SalusCare’s audit logs showed that the hacker’s 'code' originated in Ukraine, and that the servers were copied to two of Amazon’s virtual storage 'buckets' identified as s3://saluscare and s3://saulscare," the lawsuit notes. “SalusCare has no business in Ukraine and is unaware of any legitimate, non-fraudulent explanation for such an exfiltration of data."
The stolen database contains thousands of SalusCare’s electronically stored patient and employee files, the lawsuit states.
SalusCare's court filing doesn't provide further details about the hacking incident.
Before filing the lawsuit, SalusCare’s lawyers engaged in substantive communication with attorneys in Amazon’s general counsel office, the lawsuit states.
"Amazon told SalusCare that it suspended the hacker’s access to the data. But Amazon did not promise to maintain the suspension, and said that without a temporary restraining order or injunction, it could lift the suspension without notice to SalusCare," the lawsuit notes.
Besides seeking the injunctions, the lawsuit seeks damages and alleges John Doe committed violations of the Computer Fraud and Abuse Act and the Computer Abuse and Recovery Act.
Neither SalusCare nor AWS immediately responded to Information Security Media Group's requests for comment.
Technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C. says he think thecourt's injunctions should become permanent "Those injunctions are proper against John Doe but is a bit thinner against Amazon," he says. Still, the injunction against AWS "imposes an obligation on Amazon to make sure that it minimizes the potential for exfiltration of patient PHI through Amazon mishandling – meaning that Amazon needs to take care that this information stays in the barn."
What's most significant about the injunctions is that they require that both the unnamed hacker and the cloud provider take measures to protect SalusCare's information from further exfiltration, he says. This "now places a burden on Amazon, as well."