Sunshine Behavioral Health, LLC, is a network of drug and alcohol addiction rehabilitation centers based in San Juan Capistrano, California. According to Dissent of the website databreaches.net, an AWS (Amazon Web Services) S3 storage bucket has been misconfigured. The misconfiguration, notes Dissent, resulted in online exposure of PHI.
Amazon S3 buckets are public cloud storage resources. These buckets, which are essentially the online equivalent of file folders, store objects that consist of data and its descriptive metadata.
What Was the Timeline of Events That Led to the Reporting of the Exposure of PHI?
The timeline of events that led to the reporting of the exposure of PHI is as follows:
In August of 2019, the existence of a misconfigured AWS S3 bucket was first reported to databreaches.net.
Misconfiguration of AWS S3 buckets has been known to previously occur, due to covered entity administrators’ setting access controls to grant access to “authenticated users.” Grating such access en masse – to any employee with an AWS account – grants anyone and everyone access to sensitive patient data that includes PHI. A number of data breaches have occurred as a result of this granting of access to anyone with an AWS account.
In the case of Sunshine Behavioral Health, after the initial report to databreaches.net, Sunshine Behavioral Health was contacted. As a result, in August of 2019, Sunshine secured the buckets, by limiting access controls. Nonetheless, even though PHI had been exposed (i.e., there was a data breach) as a result of the misconfiguration, Sunshine apparently did not report the data exposure to the Department of Health and Human Services’ Office for Civil Rights as required by law. In addition, no breach report can be found on the California Attorney General’s website, and the breach is not mentioned anywhere on the Sunshine Behavioral Health website, despite the fact that Sunshine Health was made aware of the breach more than 60 days ago.
Moreover, Dissent followed up on the breach in November of 2019, and discovered that files were still exposed. Dissent found that the URLs of .pdf files in the bucket could still be accessed, and viewed without the need for a password. If these URLs had been obtained while the bucket was left exposed, the .pdf files could have been accessed and downloaded. The S3 bucket stored 93,000 patient files.
Since then, Dissent attempted to contact Sunshine Behavioral Health, but did not receive a reply.