COVID-19 testing service in the State of Utah stored passport scans and other highly personal data on unsecured Amazon S3 buckets.
A COVID-19 testing service in Utah ran by Premier Diagnostics exposed sensitive information of more than 50,000 people by storing data on two unsecured Amazon S3 buckets.
What data was exposed
The information included driver’s licenses, medical insurance cards, passports, and other IDs which were accessible without any authentication procedure on the web according to the Comparitech researchers.
It was found that the data of around 52,000 customers had been impacted and affected people were most likely to be from Utah, Nevada, and Colorado according to the samples obtained by researchers.
In total, over 200,000 images of ID scans were exposed. According to the timeline given by Comparitech researchers, the data was exposed for at least a week, if not longer, which was enough time for attackers to find and steal that publicly exposed data.
Furthermore, researchers also found identification forms that contained detailed personal information about patients such as their name, age, address, photo, gender, ID numbers, and more.
Another separate bucket called “paper-records” contained a database that stored names, dates of birth, and test sample IDs from patients who took the COVID-19 test.
The data did not, however, contain any COVID-19 test results, Paul Bischoff of Comparitech wrote in a blog post.
Snapshot of Utah driving licence belonging to one of the patients (Source: Comparitech)
Your identity and privacy is at risk
The patients who were affected by this data breach are subject to several dangers of exposed data which include the risk of health insurance fraud, identity theft, and phishing.
Moreover, medical insurance cards can be used by fraudsters to obtain prescription medication in the victim’s name and although no payment data or social security numbers were found, cryptocurrency exchanges and online financial services often require ID scans to set up accounts.
A threat actor could use these ID scans to set up as many accounts as they want and obtain the signup bonus or use the accounts as mules.
Patients with Premier Diagnostics be aware
It is advised that the victims remain on the lookout for targeted phishing and scam messages. It is likely that they will be contacted through emails and SMS messages and posing as Premier Diagnostics using personal details from the exposed data to make their messages more convincing.
If you had a COVID-19 test at a facility ran by Premier Diagnostics it is advised to avoid opening unknown emails or clicking on links sent via text messages.