A Utah-based COVID-19 testing service, Premier Diagnostics, accidentally exposed the personally identifiable information (PII) belonging to 50,000 patients through an unsecured server. The exposé was done by Comparitech’s lead researcher Bob Diachenko, who discovered the unsecured database of Premier Diagnostics during one of his routine scans. The exposed data included patients’ sensitive information like scanned passport copies, medical/health insurance IDs, driver’s licenses, and so on. According to Diachenko’s investigation, the exposed data majorly belonged to people from Utah and the neighboring states of Nevada and Colorado.
About the Exposé
As per Comparitech’s blog, Diachenko found two large unsecured Amazon S3 Buckets of Premier Diagnostics, however, he was initially unaware of who they belonged to. One of these S3 buckets was named patient-images and contained 207,524 images of patients’ photo ID scans. Whereas the second S3 bucket, which was named paper-records, included a tabular database of names, dates of birth, and test sample IDs from patients who took COVID-19 tests from their 11 diagnostic centers across Utah. Giving a detailed case study of how things panned out, Comparitech published the following timeline:
- January 25, 2021 – The first of the two databases was indexed by a search engine.
- February 22, 2021 – Diachenko discovered the exposed data and began his investigation to identify the owner.
- February 24, 2021 – Unable to identify the owner, Diachenko sent an alert to the Amazon Web Services security team. He received a response that the owner would be informed via internal channels.
- February 25, 2021 – After further examination of exposed data, Diachenko identified Premier Diagnostics as the likely owner, and sent a disclosure accordingly.
- March 1, 2021 – After several days with no response, Comparitech’s editorial team was able to establish contact with Premier Diagnostics. The data was secured later in the day.
- March 5, 2021 – Premier Diagnostics requested additional time for security experts to review their infrastructure.
Doing the math, the number of images exposed was more than 200,000 however, the number of patients affected was only over 50,000. Something did not add up correctly. Comparitech reached out to Premier Diagnostics and found that “each patient is associated with four images: the front and back of a medical insurance card, and the front and back of a second ID such as a driver’s license or passport. That means roughly 52,000 patients are affected.”
The data has now been secured by Premier Diagnostics and no exploitation of the details has been registered as of now. However, the type of data exposed in this incident can lead to identity theft, phishing attacks, health insurance fraud, etc. against the patients who have been affected. Owing to this we request all the patients who have taken the COVID-19 tests at Premier Diagnostics to be alert and monitor all financial and important services associated with them that are linked with the exposed data.