UPDATE: Italy, exposed database puts dental clinic patients’ data at risk

UPDATE: Italy, exposed database puts dental clinic patients' data at risk 1
UPDATE: 9/3/2024

Yesterday, we wrote that we would wait until Friday before publishing an update on this case, at which point we would include all deliberately omitted details, including the names of the companies involved. We decided to take this approach to give the two parties involved more time to correct the serious error concerning the failure to protect the data, with the sole aim of trying to safeguard the privacy of all those patients whose sensitive data had been exposed, unfortunately, for at least three weeks. However, there are important updates that, for us, close the case, and they are very good news.

In the article, we mentioned that yesterday, September 2, we had again contacted the dental clinic, but this time we used a more direct approach by calling them. We once again explained the existence of a database containing sensitive patient data and that hundreds of files were still online, stored in an unprotected, “open” Amazon S3 (Simple Storage Service) bucket.

During the phone conversation, the dental clinic’s operator reassured us that she would immediately inform her employer as well as the owners of the company that supplies them with dental implant materials and also manages the Amazon S3 space. And that’s exactly what happened.

Today, we visited the problematic URL [EDITED]s3.amazonaws.com again, and finally, someone has taken action: the files containing sensitive patient information are no longer accessible.

The first of the two screenshots below was taken yesterday afternoon, September 2, when the bucket was still exposed and unprotected. The second screenshot was taken this afternoon after the cloud space manager corrected the issue, rendering it inaccessible from the outside.

UPDATE: Italy, exposed database puts dental clinic patients' data at risk 2

Screenshot and redaction by SuspectFile.com

UPDATE: Italy, exposed database puts dental clinic patients' data at risk 3

Screenshot and redaction by SuspectFile.com

As we wrote at the beginning of the article, our intention was to provide a detailed description, through the publication of documents prepared to protect the patients’ privacy, of the real danger posed by leaving unprotected 3D dental images, estimates, invoices, and personal data (name, surname, date of birth) of dozens of the dental practice’s patients.

However, while we were writing the article, we received an email from the dental clinic’s medical director informing us that he had personally contacted the implant service provider, who is directly responsible for the protection of the documents as well as the manager of the cloud space where they were stored, alerting them about their exposed bucket.

UPDATE: Italy, exposed database puts dental clinic patients' data at risk 4

Screenshot and redaction by SuspectFile.com

Here is the translation of the email from the medical director.

Good morning,

I received your message yesterday, and I thank you for it.

I have immediately taken action with both the service provider and our designated DPO. I am leaving my direct contact number for further communication: [EDITED].

I would like to get in touch with you to gather more information on what happened and to verify the quality of the services I am using.

Best regards.

[EDITED]

Shortly after receiving the email, the same medical director also contacted us by phone, asking for our opinion on the possible causes that led to the data exposure. During the call, we had the strong impression of dealing with an honest person, genuinely concerned and firmly determined to resolve the case, which is why we decided not to disclose the names of the two companies involved.

The medical director assured us that in the coming days, he would personally follow up on the matter and that the Data Protection Officer (DPO) appointed by his dental practice had already been alerted and was conducting the necessary legal checks. He also wanted us to know that his patients would be notified as well.

We advised him to have a serious discussion with the medical implant material supplier, to understand who actually manages the Amazon S3 cloud space—whether it’s them or, as we suspect, an indirect third-party provider—and to demand that his patients’ data be managed and protected in accordance with the law. It is likely that, at the end of this entire situation, we will discover that the two companies were, in fact, inadvertently affected.

We do not know if the data that was exposed in the bucket until yesterday was previously downloaded by malicious actors or if it will be used for identity theft, phishing, smishing, or other fraudulent activities. We also pointed out this possibility to the medical director and advised him to take protective measures.

Properly protecting sensitive data should never be optional, but when it is neglected, the consequences can be as we have described in these two articles.

 



9/2/2024

This article is being published while deliberately omitting, for now, the names of the two companies involved. The first is a company that provides implant materials, and the second is a dental clinic. Both companies have their operational headquarters in a Lombardy province near Milan.

In mid-August, the independent researcher and blogger @chum1ng0 from NewsChu contacted us to inform us that during some of his research, he came across an exposed ‘Italian bucket’ hosted on Amazon Web Services (AWS). The company that supplies implant materials to several dental practices is also the entity managing the web space where the data is still hosted.

In mid-August, after verifying the contents of the files hosted on AWS and stored as Amazon S3 (Simple Storage Service), to avoid compromising the privacy of the individuals involved, we decided to postpone publishing the news. On August 18, we contacted the web space manager via email to inform them of the issue and reassured them that the news would not be published during those days, but that we would delay the publication until early September. Our delay was intentional to provide them with time to remove the data or otherwise secure it.

More than two weeks after our email, we wanted to check if anything had changed. We hoped that the time given to the Italian company, responsible for data storage and therefore the privacy of a dental practice’s patients, would have been used effectively… but nothing. As of today, September 2, all the data is still online and without any protection. We would like to clarify that the same email was sent on the same day, for information purposes, also to the dental practice, but we received no response from them either.

Among the archived files, we were able to verify the presence of 3D dental images, estimates, invoices, and personal data (name, surname, date of birth) of dozens of the dental practice’s patients.

Seeing no interest from the two companies involved in this case of poor management of sensitive patient data, this afternoon, we further tried to help them resolve the issue. We decided to call the dental practice, warning them that hundreds of 3D dental images containing patients’ personal details were still unprotected, so anyone aware of the AWS URL could freely download them.

The operator who answered, Mrs. M., reassured us that she would inform the dental practice’s managers and the supplier of the medical implant materials.

SuspectFile.com will publish a more detailed article on the matter next Friday without further delay, hoping that, by then, someone will decide to take action to protect the privacy of several hundred patients.