Latest Health Data Breaches News

Amazon Sued for Hosting Florida Provider’s Stolen Healthcare Data

Florida-based SalusCare has sued Amazon Web Services for hosting healthcare data allegedly stolen from the Florida provider. The lawsuit aims to compel the data’s release.

healthcare data exfiltration breach lawsuit Amazon

By Jessica Davis

- SalusCare, on behalf of its patients, has sued an unnamed hacker and Amazon Web Services. According to the lawsuit, AWS is hosting healthcare data allegedly stolen from the Florida mental health provider on its platform, which may likely be promoted for sale online on the dark web.

The lawsuit argues that the stolen data stored in the AWS buckets could be used to promote identity theft and possible online disclosure. As such, the lawsuit seeks a temporary restraining order to halt the attacker’s access to the data.

“SalusCare has established that the threatened harm substantially outweighs any potential harm to Amazon or [the hacker] because SalusCare is likely to suffer irreparable harm, while the [individual] would suffer, at worst, a temporary loss of access to the information while it makes its case,” according to the lawsuit.

“Amazon would suffer no conceivable harm in a temporary freeze of the buckets,” the lawsuit continues. “A temporary restraining order would simply allow the parties to maintain the status quo, thereby ensuring [the hacker] will not have an opportunity to access or use the subject information while it hypothetically pursued its legal rights.”

The databases in question contain thousands of electronically stored patient and employee files of SalusCare, including “extremely personal and sensitive records of patients’ psychiatric and addiction counseling and treatment.”

The stolen data also includes financial information, Social Security numbers, and credit card numbers of both patients and employees.

The SalusCare security incident has yet to be disclosed on its website or on the Department of Health and Human Services breach reporting tool. But according to the suit, the provider first learned of the hack and exfiltration when it detected a slowdown of its network on March 16.

SalusCare launched a forensics investigation and found its data had been sent to one or two AWS storage buckets, “pursuant to code originating in Ukraine.” As the provider has no business in that country, there could be no legitimate reason for such exfiltration.

Upon discovery, the provider contacted Amazon to request the buckets of stolen data to be locked. The tech giant soon informed SalusCare that the accounts had been suspended.

The lawsuit suggests that the voluntary suspension is neither an injunction or an agreement, and the concern is that the provider does not have assurance of how long the accounts will remain in suspension.

As such, a TRO that enjoins Amazon from allowing access to the buckets is critically necessary to avoid further injury, according to the suit.

Further, as the investigation has not determined the identity of the hacker or the precise scope of the intrusion, the risk to the impacted patient is imminent. The lawsuit claims the patient has already spent $12,000 to investigate the incident and remediate damages incurred by the hacker.

The claims against Amazon ask for injunctive relief under Florida’s Computer Abuse and Recovery Act (FCARA).

“SalusCare has no adequate remedy at law,” according to the lawsuit. “Rather, to protect SalusCare and its patients and employees from irreparable injury, Amazon must be immediately enjoined from allowing [the hacker] any further access to the buckets.”

The lawsuit asks the judge to order Amazon and its leadership members to deliver the patient the contents of the bucket, as well as complete audit logs of all transfers of data into and out of the buckets.

The suit also seeks a complete copy of all data and files exfiltrated from the buckets. After it’s delivered, the suit asks for the buckets to be permanently purged.

A deep dive into the complete court documents shows that Amazon does not oppose the relief sought by the lawsuit. It’s unclear how the unique lawsuit will progress but it could set a precedent in light of the rise in data extortion attempts directed at healthcare providers.

This story will be updated as more information becomes available.