A medical Q&A service provider is facing criticism about its security processes after a cloud misconfiguration appeared to leak sensitive images of thousands of patients.
A team at Safety Detectives reportedly discovered the Amazon S3 bucket, before tracing it to a Japanese firm called Doctors Me. There was reportedly no authentication controls in place, leaving the bucket wide open.
Doctors Me offers a service enabling users to upload images of medical conditions to receive anonymous, online diagnoses from clinicians.
The cloud storage misconfiguration exposed 300,000 files to the mercy of potential threat actors.
The 30GB of leaked data included over 12,000 unique images, including sensitive photos of children and infants.
Researchers at Safety Detectives have made a statement on the incident:
“Criminals could potentially identify Doctors Me customers and any other dependents who have their face or unique identifiable characteristics (i.e. unique tattoos) pictured on the bucket. Hackers could also identify users if one of their medical pictures was uploaded to multiple other platforms,” it said.